Professional Documents
Culture Documents
Introduction
The US Department of the Treasury’s Office of Foreign Asset Control (OFAC) adminis-
ters and enforces most economic and trade sanctions. Specifically, OFAC is responsible for
civil enforcement of US sanctions laws, and its regulations are enforced on a strict liability
basis, meaning that OFAC does not need to prove fault or intent to enter an enforcement
action and issue a civil penalty. In addition to OFAC, the US Department of Justice (DOJ)
and the US Attorney may pursue criminal investigations and enforcement actions for wilful
violations of US sanctions laws. Federal criminal prosecutions of sanctions violations are
generally conducted on referral by OFAC, although the DOJ may choose to pursue some
cases on its own initiative.2 Other regulators, such as the Financial Crimes Enforcement
Network (FinCEN) and the New York State Department of Financial Services, may impose
additional penalties for failure to maintain specific controls to help ensure compliance with
OFAC-administered regulations. Both federal and state regulators may pursue enforcement
actions for the same conduct simultaneously, which could lead to multiple investigations
by multiple entities. In 2019, then OFAC Director Andrea Gacki made it clear that OFAC
would no longer give credit for all types of fines paid to other agencies in global, multi-agency
settlements.3 This change in how OFAC calculates fines could lead to increased penalties in
global settlement agreements where OFAC would have taken into account the amount of
fines and penalties being levied by other agencies when determining the final penalty amount.
1 David Mortlock and Britt Mosman are partners and Nikki Cronin and Ahmad El-Gamal are associates at
Willkie Farr & Gallagher LLP.
2 31 CFR Part 501 Appendix A (II)(F).
3 Dylan Tokar, Treasury Department Changes Approach to Fines in Sanctions Cases, Wall Street Journal
(14 June 2019), available at www.wsj.com/articles/treasury-department-changes-approach-to-fines-in-sanc
tions-cases-11560552590.
114
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
During 2020, the number of enforcement actions closed and published by OFAC
decreased significantly when compared to 2019. 2020 saw approximately US$23 million in
penalties across 16 enforcement actions compared to approximately US$1.3 billion in penal-
ties across 26 enforcement cases in 2019. One potential cause of this decrease may be the
disruption caused by the covid-19 pandemic throughout 2020 and early 2021, but it could
also be a continuation of the yearly fluctuation and variance in the amount of cases closed
by OFAC. It remains to be seen whether the number of cases will continue to trend upwards
or remain steady once a sense of normalcy has returned. Despite the decreased number of
closed and published enforcement actions, OFAC has continued to pursue novel and more
aggressive enforcement theories, including showing a willingness to pierce the corporate veil
and pursue enforcement cases for even indirect contact with US financial institutions and
expanding its jurisdiction in the wake of technological advancement. OFAC also published
its first enforcement action related to digital currency transactions on 30 December 2020,
followed closely by a second enforcement action related to digital currency transactions in
February 2021, indicating that the agency is ready to aggressively pursue enforcement actions
against apparent violation involving transactions using digital currency transactions nearly
two years after the publication of FAQs 559–563.4
Notably, there has been little judicial review or oversight of OFAC’s enforcement theories.
Almost all cases that are not resolved by no-action or cautionary letters are settled, and very
few are challenged in court. However, there are exceptions to this general trend, including
Exxon Mobile Corporation’s challenge of a US$2 million civil penalty imposed by OFAC,
which resulted in the penalty being vacated by a District Court in the Northern District of
Texas on the grounds that OFAC failed to provide fair notice regarding the agency’s interpre-
tation of the relevant sanctions regulations.5 Additionally, in enforcement actions concluded
after the May 2019 release of OFAC’s ‘A Framework for Compliance Commitments’ (the
Framework),6 OFAC has assessed parties’ compliance with the Framework as an aggravating
or mitigating circumstance, tracking the parties’ violation against the Framework. The new
trends in enforcement, highlighted by recent OFAC cases, show that a strong compliance
programme in line with the Framework is a key factor for parties seeking to avoid OFAC
enforcement actions moving forward.
Investigation
Commencement
The US government can learn of a potential sanctions violation in a number of ways, but the
primary means of discovery are through voluntary self-disclosures (VSDs), reports of blocked
4 Published in March 2018, FAQs 559–563 detail the compliance responsibilities of entities involved in the
digital currency industry or using digital currency as a means of conducting transactions as well as providing
key definitions and information on how OFAC will use existing authorities to bring enforcement actions
with respect to apparent violations involving the use or transfer of digital currency. See OFAC Frequently
Asked Questions ‘Questions on Virtual Currency,’ available at https://home.treasury.gov/policy-issues/
financial-sanctions/faqs/topic/1626.
5 See Exxon Mobil Corporation v. Steven Mnuchin, CIVIL ACTION NO. 3:17-CV-1930-B (N.D. Tex. 2019).
6 US Department of the Treasury, ‘A Framework for OFAC Compliance Commitments’, at www.treasury.gov/
resource-center/sanctions/Documents/framework_ofac_cc.pdf.
115
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
and rejected transactions, referrals from other government agencies, and even publicly avail-
able information, such as media reports.
If a company conducts an internal investigation or otherwise learns of a potential viola-
tion itself, it may submit a VSD to OFAC. A VSD has many benefits, described further
below, including a significant reduction in the base penalty calculation for any potential
enforcement action. Depending on the particular circumstances of a violation, the submis-
sion of a VSD and subsequent cooperation with OFAC should be carefully considered.
A VSD is not the only means by which the government learns of potential violations.
The government frequently learns of violations through reports generated by US persons,
primarily banks, that have blocked or rejected a transaction based on a suspected sanctions
violation. US persons are required under the sanctions regulations to submit blocking and
reject reports to OFAC within 10 business days of the action to block or reject a transaction.
Beginning in June 2019, new regulations require that all US persons report rejected transac-
tions to OFAC within 10 days.7 Previously, all parties already had an obligation to report
transactions involving blocked property to OFAC, but only US financial institutions had
the obligation to report rejected transactions. OFAC may also learn of sanctions violations
through anti-money laundering reports, primarily suspicious activity reports (SARs), which
are also typically submitted by banks and other financial institutions.
In an enforcement action against Hotelbeds USA, OFAC was notified of the apparent violations
when a US financial institution blocked a payment relating to a Cuba-travel transaction and
Hotelbeds USA sought a specific licence to unblock the funds, which was denied by OFAC.
OFAC may also learn of potential violations through other government agencies, including
foreign governments. Criminal investigations conducted by the DOJ and other federal and
state law enforcement can lead to the discovery of sanctions violations.
Notification
Once OFAC learns of a potential violation and decides to launch an investigation, OFAC
may make an initial request for information with an administrative subpoena or, depending
on the nature of the violation, direct a more informal set of questions to the involved parties,
including non-US persons.
Notably, a 2019 DC Circuit Court decision – which required three Chinese banks, two
of which have US branches, to comply with the government’s grand jury subpoenas and
document production orders in connection with the violation of the US sanctions on North
Korea – expanded the ability of US federal prosecutors to subpoena the financial records of
foreign financial institutions during an investigation.9 The Court held that in instances where
a foreign bank has a US branch, it consents to federal court jurisdiction on matters overseen
116
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
by the Federal Reserve including money laundering and sanctions violations.10 The Court
also held that the Attorney General’s power under the Bank Secrecy Act to compel a foreign
bank to produce documents is not limited to transactions that pass directly through a foreign
bank’s US foreign account, but also any foreign records with a connection to the bank’s US
correspondent account.11
The DOJ’s authority to issue subpoenas to foreign financial institutions was expanded
under the Anti-Money Laundering Act of 2020 (AMLA). In addition to having the authority
to issue subpoenas to foreign financial institutions that maintain a correspondent account in
the United States for records related to the correspondent account, the AMLA expanded the
DOJ’s subpoena power to cover ‘any account at the foreign bank, including records main-
tained outside of the United States’ if those records are part of a broad list of enforcement
actions, including criminal prosecutions or violations of the Bank Secrecy Act (BSA).12
Competent authorities
The authorities responsible for enforcing US sanctions are primarily OFAC (responsible
for civil enforcement) and the DOJ (responsible for criminal enforcement). Furthermore,
financial regulators, including the New York State Department of Financial Services and the
Federal Reserve Board, among others, may impose fines and other penalties for compliance
failures associated with insufficient sanctions compliance programmes.
Substantive offences
Each sanctions programme administered by OFAC is different depending on the aims of
the government. OFAC sanctions programmes generally prohibit US persons from engaging
in transactions, directly or indirectly, involving designated individuals or entities (persons).
Other sanctions programmes, such as those against Cuba and Iran, are comprehensive in
nature, generally prohibiting exports of goods or services by US persons or from the United
States to those territories. Regardless, there are common elements for a finding of an apparent
violation, generally a breach of regulations for an embargo or transaction involving specially
designated nationals and blocked persons or entities subject to sectoral sanctions. OFAC
regulations are civil in nature, meaning they generally do not require mens rea, intent or
knowledge for an apparent violation to be found and a penalty to be assessed. However, if the
apparent violation included a wilful attempt at evading, avoiding, attempting or conspiring
to evade or avoid, or facilitating a prohibited transaction, it could expose the party to crim-
inal liability and prosecution by the DOJ.
OFAC’s enforcement authority and procedures are further defined by OFAC’s general
enforcement guidelines at 31 CFR 501 Appendix A. These enforcement guidelines establish
the factors for calculating the base penalty amounts, based on a number of specific factors
including whether the violation is egregious or non-egregious and whether the violations
were voluntarily disclosed to OFAC.
10 id. at 10.
11 id. at 9.
12 31 USC § 5315(k) as amended by the Anti-Money Laundering Act 2020.
117
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
In an enforcement action against the General Electric Company (GE), OFAC signalled its will-
ingness to pierce the veil in enforcement cases by entering enforcement proceedings against GE
regarding apparent violations by three of its non-US subsidiaries. The three non-US subsidiaries
of GE had accepted 289 payments from the Cobalt Refinery Company, a party owned in part by
the Cuban government and on OFAC’s list of specially designated nationals and blocked persons.
Foreign persons that are owned or controlled by a US person are required to comply with the
restrictions imposed by the Cuban Assets Control Regulations.
In an enforcement action against Berkshire Hathaway Inc, OFAC again pierced the veil by
entering an enforcement proceeding against Berkshire for apparent violations of the Iranian
Transaction and Sanction Regulations (ITSR) by its indirectly wholly owned Turkish subsidiary.
These actions were conducted under the direction of certain senior managers in Turkey, despite
Berkshire and other Berkshire subsidiaries’ repeated communications and policies sent to the
Turkish subsidiary regarding US sanctions against Iran and the application of the ITSR to its
operations in Turkey. The ITSR explicitly state that a penalty shall be imposed against the US
parent for a foreign subsidiary’s prohibited dealings with Iran.
In an enforcement action against British Arab Commercial Bank (BACB), OFAC considered
even tenuous and indirect contact with US financial institutions as grounds for an enforcement
action. OFAC found that BACB had violated Sudanese sanctions despite the fact that the trans-
actions at issue were not processed to or through the US financial system. BACB operated a
nostro account in a country that imports Sudanese-origin oil for the stated purpose of facilitating
payments involving Sudan. The bank funded the nostro account with large, periodic US dollar
wire transfers from banks in Europe, which in turn transacted with US financial institutions in a
manner that violated OFAC sanctions.
118
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
Expanded jurisdiction15
As noted in OFAC’s Framework for Compliance Commitments, this case demonstrates the importance
for companies operating in high-risk industries (e.g., international shipping and trading) to implement
risk-based compliance measures, especially when engaging in transactions involving exposure to juris-
dictions or persons implicated by US sanctions.
In an enforcement action against BitGo, Inc, OFAC signalled its intent to enforce sanctions
compliance in the cryptocurrency industry. The apparent violations involved users located in
sanctioned jurisdictions signing up for and accessing BitGo’s secure digital wallet management
services to engage in digital currency transactions. Despite having access to the IP addresses of
its customers, tracked at the time for security purposes related to logins, BitGo did not use
that information for sanctions compliance purposes. OFAC highlighted the importance of enti-
ties involved in providing digital currency services to implement sanction compliance controls
commensurate with their risk profile. The fact that BitGo did not implement appropriate,
risk-based sanction compliance controls and had reason to know the users were located in sanc-
tioned jurisdictions based on their IP addresses were seen as aggravating factors.
119
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
In an enforcement action against BitPay, Inc, OFAC signalled that companies involved in
providing digital currency services would be subject to the same compliance requirements as finan-
cial institutions. BitPay offers a payment processing solution for its direct merchant customers
to accept digital currency. Specifically, BitPay would receive digital currency payments on behalf
of its merchant customers and convert the digital currency to fiat currency before relaying that
currency to the merchant. While BitPay screened its direct customers, BitPay failed to screen loca-
tion data it obtained about its merchant buyers. As a result, BitPay processed 2,102 transactions
on behalf of individuals located in sanctioned jurisdictions.
In an enforcement action against Generali Global Assistance, Inc (GGA), OFAC highlighted the
importance of ensuring that sanctions compliance policies and procedures address both direct
and indirect sanctions compliance risks. GGA served as a travel services provider on behalf of two
Canadian insurers that offered policies for Canadian subscribers who travelled to Cuba, providing
medical expense claim processing and payment services to one of the Canadian insurers. For
payments intended for Cuban service providers, GGA would intentionally refer the requests to
a Canadian affiliate and then reimburse that affiliate for the amounts paid. In the enforcement
action, OFAC specifically noted the sanctions risks of implementing a procedure to process, indi-
rectly, transactions whose direct processing would be prohibited by US sanctions laws.
The Department of Justice enforces criminal sanctions violations. Criminal liability may
be imposed against a person who wilfully commits, attempts to commit, or conspires to
commit, or aids or abets in the commission of, an unlawful act pursuant to the International
Emergency Economic Powers Act (IEEPA), the Act pursuant to which most sanctions regula-
tions are issued. Criminal liability pursuant to IEEPA may include a fine of not more than
US$1 million or, if a natural person, a prison term of not more than 20 years, or both.19
120
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
OFAC’s enforcement action against UniCredit Bank AG highlighted the bank’s wilful intent to
circumvent US sanctions, citing formal UniCredit Bank AG documents containing policies and
procedures that instructed bank personnel to ensure payment structures were formatted in a way
to hide the participation of OFAC-sanctioned parties.
OFAC found that Standard Chartered Bank had actual knowledge or reason to know of its
apparent violations of several sanctions regulations, including the Cuban Assets Control
Regulations and the Iranian Transactions and Sanctions Regulations, which OFAC deemed an
aggravating factor.
OFAC found that Jiangsu Guiqiang Tools Co Ltd (GQ), a subsidiary of Stanley Black & Decker,
Inc, which agreed to pay the penalty for both itself and GQ, harmed the objectives of the Iranian
Transactions and Sanctions Regulations by conferring an economic benefit to Iran in a systematic
scheme involving the export and attempted export of several shipments of power tools and spare
parts to a third country with knowledge that the goods were intended specifically for supply,
trans-shipment or re-exportation to Iran.
In OFAC’s enforcement action against Cubasphere Inc for violations of the Cuban Assets Control
Regulations, OFAC considered the fact that Cubasphere was a small company with few employees
as a mitigating factor. By contrast, in OFAC’s enforcement action against Apollo Aviation Group,
LLC (Apollo) for violations of the Sudanese Sanctions Regulations, OFAC highlighted Apollo’s
size and sophistication as an aggravating factor.
121
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
• the existence, nature and adequacy of a compliance programme in place at the time of
the violation;24
In OFAC’s enforcement action against Haverly Systems, Inc for violations of the Ukraine Related
Sanctions Regulations, OFAC considered the fact that Haverly did not have a formal OFAC sanc-
tions compliance programme at the time the apparent violations occurred an aggravating factor.
• the remedial response that the party took upon learning of the violation;25 and
In OFAC’s enforcement action against PACCAR, Inc on behalf of its wholly owned subsidiary
DAF Trucks NV (DAF) for violations of the Iranian Transactions and Sanctions Regulations,
OFAC considered the remedial actions taken by DAF a mitigating factor. On learning of the
apparent violations, DAF conducted an internal investigation, dismissed employees involved in
some of the apparent violations, cancelled the delivery of 20 trucks for customers that appeared
to have sold or allowed DAF trucks to be sold to buyers in Iran, provided compliance training
annually to DAF subsidiaries and implemented enhanced trade compliance controls in an effort
to prevent similar apparent violations from reoccurring.
• cooperation with OFAC, through a VSD or subsequent cooperation during the investiga-
tion (or both).26
In OFAC’s enforcement action against Stanley Black & Decker, Inc and its subsidiary, OFAC
found that Stanley Black & Decker’s cooperation with OFAC, including an extensive internal
investigation and meaningful responses to OFAC’s requests for additional information was a
mitigating factor.
A key factor, as evidenced by recent OFAC decisions, is the existence and maintenance
of an adequate compliance programme in line with OFAC’s Framework for Compliance
Commitments. Beginning in 2020, each of the decisions published by OFAC has included a
paragraph referencing the Framework.27
122
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
As with OFAC, the DOJ generally views voluntary disclosure, full cooperation and timely
and effective remedial measures as mitigating factors. The guidelines from the DOJ’s updated
VSD policy,28 discussed in further detail below, breaks down full cooperation as:
• timely disclosure of all facts;
• proactive cooperation;
• preservation, collection and disclosure of relevant documents (Guidelines list examples);
• deconfliction of witness interviews;
• retention of business records and prohibition of the improper destruction or deletion of
those records; and
• any additional steps that demonstrate recognition of the seriousness of misconduct,
acceptance of responsibility and implementation of measures to reduce risk of a repeti-
tion of the misconduct.
The updated policy also lays out what the DOJ considers as aggravating factors during
an investigation for criminal sanctions violations. The aggravating factors listed by the
DOJ include:29
• exports of items controlled for nuclear nonproliferation or missile technology reasons to
a proliferator country;
• exports of items known to be used in the construction of weapons of mass destruction;
• exports to a foreign terrorist organisation or specially designated global terrorist;
• exports of military items to a hostile foreign power;
• repeated violations, including similar administrative or criminal violations in the past; and
• knowing involvement of upper management in the criminal conduct.
The DOJ released an update to its ‘Evaluation of Corporate Compliance Programs’30 guidance
document, on 1 June 2020. The ‘Principles of Federal Prosecution of Business Organizations’
include several factors that prosecutors should consider when conducting an investigation
of a corporation, including the adequacy and effectiveness of a corporation’s compliance
programme at the time of an offence. Maintaining an effective compliance programme may
be considered an additional mitigating factor.
When determining whether a corporation has an effective compliance programme, the
DOJ considers three main questions:
• Is the corporation’s compliance programme well designed?
• Is the compliance programme being applied earnestly and in good faith?
• Does the corporation’s compliance programme work in practice?
of investigations resulting in settlements. The Framework includes an appendix that offers a brief analysis of some
of the root causes of apparent violations of US economic and trade sanctions programs OFAC has identified
during its investigative process.’).
28 US Department of Justice [DOJ], National Security Division, ‘Export Control and Sanctions Enforcement
Policy for Business Organizations’ (13 December 2019), at www.justice.gov/nsd/ces_vsd_policy_2019/
download.
29 id.
30 DOJ, Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (updated June 2020), at https://www.
justice.gov/criminal-fraud/page/file/937501/download.
123
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
Self-reporting
Reporting to OFAC
As previously mentioned, OFAC views the self-disclosure of apparent violations favourably.
The self-disclosure of a violation can significantly reduce a potential civil penalty amount. To
be considered voluntary, a disclosure must be self-initiated and made to OFAC before either
OFAC or any government agency or official discovers the apparent violation. Notification
of an apparent violation to another government agency, which is considered a VSD by that
agency, may be considered a VSD to OFAC on a case-by-case basis. When making a VSD
to OFAC, the VSD must include or be followed by a report containing sufficient details to
provide a complete understanding of the circumstances of the apparent violation. In some
instances, it may be beneficial to the party to make a preliminary disclosure to OFAC before
knowing all the facts so as to make a timely disclosure yet ensure that the disclosure is volun-
tary. Parties should also ensure that their VSD and follow-up report contain all the details
known at the time they are submitted. Parties submitting VSDs should also be prepared to
respond to any follow-up enquiries by OFAC.31
However, not all notifications to OFAC of an apparent violation will be considered a
VSD. Specifically, a notification will not be considered a VSD if a third party notifies OFAC
of the apparent violation or substantially similar apparent violation because it blocked or
rejected a transaction, or if the disclosure:
• includes false or misleading information or is materially incomplete;
• is not self-initiated;
• is made without the authorisation of senior management; or
• is in response to an administrative subpoena or other enquiry form.32
124
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
33 id.
34 31 CFR 501.603 and 501.604.
35 id.
36 DOJ, National Security Division, ‘Export Control and Sanctions Enforcement Policy for Business Organizations’
(13 December 2019), at https://www.justice.gov/nsd/ces_vsd_policy_2019/download.
125
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
Finally, parties are required to demonstrate a thorough analysis of the causes of underly-
ing conduct and, where appropriate, engage in remediation; implement an effective compli-
ance programme; discipline employees identified by the party as responsible for the oversight;
retain business records and prohibit the improper destruction of those records; and take any
additional steps that demonstrate recognition of the seriousness of a party’s misconduct.
126
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
if accepted, the VSD will reduce the base amount of the penalty by approximately 50 per
cent in both egregious and non-egregious cases.39 As mentioned above, VSDs are not the
only mitigating factors that OFAC takes into account when determining the amount of a
penalty. Parties should immediately take any reasonable remedial measures after discovering
the apparent violation and discuss those measures in their submission. Additionally, parties
should maintain a compliance programme in line with OFAC’s Framework for Compliance
Commitments and, to the extent possible, map the apparent violation against their compli-
ance programme and how the party has remedied, or intends to remedy, the deficiency in its
programme that caused the apparent violation.
Further, when submitting a VSD to OFAC, a party must consider the chance that OFAC
may launch a broader investigation of the party and find additional, undisclosed violations
under one of its many sanctions programmes or violations that cause OFAC to notify other
government agencies, including a potential referral to the DOJ for criminal enforcement.
While notifications made to other government agencies may be considered a VSD for
OFAC enforcement purposes, a VSD to OFAC will not qualify as a VSD made to the DOJ.
Therefore, parties should carefully consider if there was an element of wilfulness in the appar-
ent violations or other activity that would be considered criminal in nature and would cause
OFAC to refer the case to the DOJ. If a party believes that the case may be referred to the
DOJ, it should consider submitting a VSD to the DOJ either prior to, or simultaneously
with, submitting its VSD to OFAC to take advantage of the DOJ’s VSD policy.
127
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
criminal prosecution as seen in recent DOJ cases regarding UniCredit,40 Société Générale41
and Halkbank.42 Despite this, there are still issues with the policy that may deter business
organisations from submitting VSDs to the DOJ.
One factor to take into consideration under the new policy is that it makes clear that a
VSD to a regulatory agency will not be enough to qualify for the benefits of the DOJ policy.
This is in contrast with OFAC’s position that notification of an apparent violation to another
government agency that is considered a VSD by that agency may be considered a VSD by
OFAC based on a case-by-case assessment. This, coupled with the requirement that a VSD be
made before any imminent threat of disclosure or government investigation, means that par-
ties must decide early in their investigation of a potential violation of sanctions or export laws
if they need to file with both regulatory agencies and the DOJ. Investigations can take unex-
pected turns, however, transforming an ostensible civil issue into a potential criminal matter
if evidence of wilfulness is discovered. However, by filing with the DOJ, a party could expose
itself to a potential criminal investigation and heavy, continuing disclosure obligations.
Moreover, the policy applies only to the DOJ and does not bind other regulators, includ-
ing state banking regulators such as the New York State Department of Financial Services
or the Federal Reserve. Those other enforcement authorities have their own programmatic
mandates, which may be inconsistent with the outcomes available under the new policy. Put
differently, self-reporting to the DOJ may earn you the carrot from the DOJ, but you may
still face the stick from other regulators.
The key to effectively utilising this policy rests in the foundation of a party’s compliance
policies and procedures. Even if the policies and procedures fail to prevent a violation from
occurring, they can assist a party in quickly determining the nature and degree of the viola-
tion. This should help parties recognise earlier in their investigation of a potential violation
whether they need to issue a VSD to the DOJ.
128
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
comment letters discussing sanctions issues has risen from 1.5 per cent in 2014 to 4.5 per cent
in 2018.44 Despite this, the SEC has not traditionally acted as an enforcement agency in the
mould of OFAC or the DOJ, only seeking disclosure and reporting of sanctions-related risks.
However, in a recent Foreign Corrupt Practices Act (FCPA) case against Quad/Graphics,
the SEC found that, in addition to violating anti-bribery and bookkeeping offences, Quad/
Graphics participated in a scheme to circumvent US sanctions and export control laws.45
The DOJ had declined to prosecute Quad/Graphics despite finding evidence of bribery and
did not reference the sanctions evasion scheme.46 It remains to be seen whether the SEC will
continue to use provisions of the FCPA to enforce US sanctions laws. Based on this and the
increased frequency of the SEC’s requests for information and disclosure of sanctions-based
risks, parties should consider notifying the SEC of apparent violations. However, this should
be done while keeping in mind the requirements for VSD submissions to OFAC and
the DOJ.
In addition to the SEC, parties should be aware that OFAC maintains memoranda of
understanding (MOUs) with several state and federal banking regulatory agencies.47 These
MOUs outline how OFAC and the banking regulators will share information regarding
apparent violations of US sanctions. Banking regulators, such as the Federal Reserve, may
impose penalties on the financial institutions they oversee in connection with apparent vio-
lations of US sanctions laws. The jurisdiction of these regulators is generally based on the
requirements for safe and sound banking practices, which may include compliance with
US economic sanctions and financial crime laws and requirements to disclose sanctions
risks.48 Accordingly, financial institutions should consider notifying their banking regulators
of apparent violations if they plan to submit a VSD to OFAC. However, as discussed with
respect to the SEC, this should be done while conscious of the requirements for VSD sub-
missions to OFAC and the DOJ.
Parties should also assess whether the apparent violation of US sanctions laws also vio-
lates the sanctions laws of other jurisdictions. For example, if a party operates in both the
United States and the United Kingdom and commits an apparent violation that would be in
breach of sanctions law in both countries, the party should consider making a disclosure to
44 Menghi Sun and Mark Maurer, ‘SEC Questions More Companies About Sanctions Disclosures’, Wall Street
Journal (28 August 2019) (citing Audit Analytics), at www.wsj.com/articles/sec-questions-more-companie
s-about-sanctions-disclosures-11567018243.
45 See Securities and Exchange Commission press release of 26 September 2019, at www.sec.gov/news/
press-release/2019-193.
46 See DOJ Response Letter, Re: Quad/Graphics Inc, at https://www.justice.gov/criminal-fraud/file/1205341/
download.
47 The US Department of the Treasury maintains a list of memoranda of understanding between OFAC
and state and federal banking regulators at https://home.treasury.gov/policy-issues/financial-sanctions/
civil-penalties-and-enforcement-information/2019-enforcement-information/memoranda-of-understan
ding-between-ofac-and-bank-regulators.
48 See, for example, ‘Board of Governors of the Federal Reserve System, Order to Cease and Desist and Order of
Assessment of Civil Money Penalty Issued Upon Consent Pursuant to the Federal Deposit Insurance Act, as
Amended, In the Matter of Standard Chartered PLC’ (8 April 2019) available at https://www.federalreserve.
gov/newsevents/pressreleases/files/enf20190409a1.pdf. (Stating that Standard Chartered PLC and Standard
Chartered Bank were fined for unsafe and unsound practices relating to inadequate sanctions controls and failure
to disclose sanctions risks to the Federal Reserve.)
129
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
both OFAC and the UK’s Office of Financial Sanctions Implementation. Foreign regulatory
agencies may share information regarding apparent violations directly or learn of an apparent
violation if it is published by a foreign regulator. Therefore, a party should ensure that it
considers whether its actions violate non-US sanctions laws and whether the party would be
subject to the jurisdiction of non-US regulators.
Additionally, parties should be aware of how public perception and negative press relating
to the discovery of an apparent violation can materially affect a party’s reputation. A VSD and
a detailed plan to implement remediation measures targeting the root cause of the apparent
violations may mitigate some of the associated reputational damage. However, regardless
of how the apparent violation was reported or discovered, public scrutiny still represents a
risk factor for future business partners and investors. As a result, reputational damage could
lead to lost opportunities and burdensome due diligence requirements imposed by potential
business partners.
Anti-money laundering
Suspicious activity reports
As mentioned above, anti-money laundering investigations can overlap with investigations of
apparent sanctions violations. Additionally, disclosures to one regulatory authority can notify
other authorities of potential violations leading to overlapping investigations for different
violations caused by the same action. A financial institution that intentionally attempts to
deceive US regulatory authorities or cover up an apparent violation of US sanctions laws, for
example, is likely to simultaneously engage in violations of anti-money laundering laws.49
Under the BSA, financial institutions50 are required to report ‘any suspicious transac-
tion relevant to a possible violation of law or regulation’. FinCEN has issued regulations
implementing the BSA requiring certain financial institutions, including banks, securities
broker-dealers, introducing brokers, casinos, futures commission merchants and money ser-
vices businesses, to report any suspicious activity above a certain dollar threshold in a SAR.
Each industry has its own form and, generally, the report must be submitted within 30 days
of the detection of the suspicious activity.
As discussed in earlier sections of this chapter, OFAC requires financial institutions to
submit reports regarding any transactions that were rejected or blocked as a result of the
49 An example of simultaneous sanctions and anti-money laundering enforcement can be found in the ongoing
case of Halkbank. The Turkish state-owned bank allegedly participated in a multibillion-dollar scheme to evade
US sanctions on Iran, including facilitating fraudulent transactions designed to appear to be purchases of food
and medicine. The DOJ referenced the knowing involvement of senior officers at the bank and discussions on
how best to structure transactions to evade scrutiny by US regulators. As is often the case with schemes to avoid
sanctions, Halkbank violated anti-money laundering laws by using fraudulent pretences and representations to
defraud financial institutions. See United States v. Halkbank, Superseding Indictment S6 15 Cr. 867 (RMB), at
www.justice.gov/opa/press-release/file/1210396/download.
50 The Bank Secrecy Act defines ‘financial institutions’ at 31 USC 5312. This list at 31 USC 5312(a)(2) includes,
but is not limited to, insured banks, commercial banks or trust companies, private bankers, brokers and dealers
in securities or commodities, investment bankers or companies, insurance companies, certain casinos and any
businesses or agencies that engage in any activity which the Secretary of the Treasury determines, by regulation,
to be an activity that is similar to, related to, or a substitute for any activity in which any business described in
31 USC 5312(a)(2) is authorised to engage.
130
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
involvement of a person on OFAC’s list of specially designated nationals and blocked per-
sons. These transactions would be considered suspicious activity under the BSA due to the
possibility that they violate US sanctions regulations, and financial institutions would be
required to submit a SAR to FinCEN. However, FinCEN’s requirements will be satisfied
by filing a rejection or blocking report to OFAC.51 OFAC will then pass the information to
FinCEN, where the activity will be logged in the suspicious activity reporting database and
become available to law enforcement agents. However, FinCEN notes that to the extent a
financial institution has information related to the activity that was not disclosed or included
in the blocking report, the financial institution should file a separate SAR with FinCEN
including that information.52
As discussed above, a notice of an apparent violation through a third-party rejection or
blocking report will negate any benefit that a party may have received from submitting a
VSD. Additionally, because the information filed in a rejection or blocking report will be
passed to FinCEN and made available to law enforcement, it could trigger additional inves-
tigations relating to money laundering or other civil and criminal offences. Parties should be
aware of how regulators share information and how a third-party report may trigger multiple
investigations from several government agencies, negating any benefit the party would receive
from self-reporting the apparent violation.
In understanding and examining the risks associated with third-party reports, parties
should also be aware of the AMLA, ultimately passed on 1 January 2021. The AMLA
expands the BSA to include measures to strengthen FinCEN and inter-agency coordina-
tion and enforcement, among other provisions such as enhanced regulatory coverage of
non-traditional exchanges of value and new beneficial ownership reporting requirements.
As noted above, one way that OFAC may learn of apparent violations of US sanctions laws
is through information shared by foreign regulatory bodies. The AMLA requires the US
Treasury department to create a three-year pilot programme allowing financial institutions
to share SARs information with the institution’s foreign branches, subsidiaries, and affiliates
for the purpose of combating illicit finance risks.53 Additionally, the AMLA also requested
the establishment of an exchange designed to facilitate information sharing between financial
institutions, law enforcement agencies, national security agencies and FinCEN.54
As these programmes continue to develop, the enhanced information-sharing mecha-
nisms and procedures could lead to faster detection by or notification of a potential viola-
tion to OFAC, negating any benefits that would be received by self-reporting as the report
would no longer be considered voluntary by OFAC. The implementation and effect of these
information-sharing programmes should be monitored by parties, and their potential impact
on the time it takes for OFAC to independently discover or be notified of an apparent viola-
tion considered when deciding if and when to file a VSD.
51 See FinCEN Interpretive Guidance ‘Interpretation of Suspicious Activity Reporting Requirements to Permit the
Unitary Filing of Suspicious Activity and Blocking Reports’, December 2004, available at www.fincen.gov/sites/
default/files/guidance/20041214a.pdf.
52 id.
53 31 USC § 5318(g)(8) as amended by the Anti-Money Laundering Act, 2020.
54 31 USC § 310(d) as amended by the Anti-Money Laundering Act, 2020.
131
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
Resolution of investigations
OFAC has a variety of enforcement options available to it upon learning of a potential viola-
tion of US sanctions. If OFAC determines that there is insufficient evidence that a violation
has occurred or concludes that the conduct does not warrant an administrative response, then
no action will be taken.55 In cases where OFAC is aware that the subject of the investiga-
tion knows of OFAC’s investigation, OFAC will generally issue a no-action letter. If OFAC
determines that there is insufficient evidence of a violation but that the activity in question
could lead to a violation or that there is a lack of due diligence in assuring compliance with
US sanctions laws, OFAC may issue a cautionary letter.56 A cautionary letter will generally lay
out OFAC’s concerns about the underlying conduct or concerns regarding the compliance
policies, practices and procedures that led to the apparent violation. If OFAC determines that
a violation has occurred but that a civil monetary penalty is not appropriate, OFAC may issue
a finding of violation.57 Although there is no monetary penalty involved, OFAC announces
findings of violations in press releases and publishes a notice containing the description of the
violations and its analysis, which can cause reputational damage to a party.
Cautionary letter58
In OFAC’s enforcement action against AppliChem GmbH, OFAC noted that it had previously
issued a cautionary letter to Illinois Tool Works Inc, a US company that acquired AppliChem,
regarding AppliChem’s post-acquisition sales to Cuba.
OFAC may also impose a civil monetary penalty upon determining that a violation has
occurred.59 These penalties will be determined in line with OFAC guidelines and subject
to the mitigating and aggravating factors described above. Parties may also decide to enter
into a settlement with OFAC to reduce their maximum exposure to penalties.60 Settlement
discussions may be initiated by OFAC or the party that committed the apparent violation.
Settlements can be made before or after the issuance of a pre-penalty notice and may also
include multiple apparent violations, even if they are covered under separate pre-penalty
notices. Notably, OFAC settlements may be a part of a comprehensive settlement with other
federal, state or local agencies.
132
© Law Business Research 2021
US Sanctions Enforcement by OFAC and the DOJ
Global settlement61
UniCredit Bank AG agreed to pay approximately US$611 million to OFAC as part of a larger,
US$1.3 billion settlement with federal and state government partners.
Finally, OFAC may refer a case to appropriate law enforcement if it determines that the
activity warrants a criminal investigation or prosecution (or both).62
Similar to the multiple options available to and utilised by OFAC, the DOJ has a variety
of enforcement options available to it when closing a case. First, it may choose to resolve a
case using a deferred prosecution agreement (DPA) or a non-prosecution agreement (NPA).
Under a DPA, the DOJ will bring charges against the party committing the violation but
agrees not to proceed with those charges so long as the party follows a negotiated set of require-
ments or conditions. Under an NPA, the DOJ will not file charges against the party and will
generally require the party to comply with certain conditions or pay a fine. Additionally,
DPAs and NPAs may impose a corporate monitor on the party to the agreement. The party
bears the costs of the corporate monitor and the scope of the monitor’s oversight responsibili-
ties are negotiated by the party and the DOJ. The DOJ may also seek the forfeiture of assets
relating to the apparent violation as part of the penalties assessed against the party.
If the DOJ initiates an investigation either through a referral by another government
agency or independent discovery of an apparent violation, the offending party may be
charged under numerous criminal statutes depending on the nature of the violation. For
example, a single party may be charged for a wilful violation of IEEPA while simultaneously
being charged for fraud, criminal money laundering and other offences committed in coordi-
nation with the apparent violation.63 These could lead to significant monetary penalties and
potential imprisonment for individuals involved in the apparent violation.
61 See, e.g., US Department of the Treasury press release, ‘U.S. Treasury Department Announces Settlement with
UniCredit Group Banks’ (15 April 2019), at https://home.treasury.gov/news/press-releases/sm658.
62 31 CFR 501 Appendix A (II)(F).
63 See DOJ press release of 15 October 2019, at https://www.justice.gov/opa/pr/turkish-bank-charged-manhatta
n-federal-court-its-participation-multibillion-dollar-iranian (‘[Halkbank] was charged today in a six-count
indictment with fraud, money laundering, and sanctions offenses related to the bank’s participation in a
multibillion-dollar scheme to evade U.S. sanctions on Iran.’).
133
© Law Business Research 2021
Part II
Compliance Programmes
The past decade has seen sanctions move up the risk agenda, becoming one of the most
significant risks for any business operating across multiple jurisdictions. Once only a real
concern for regulated financial institutions, the proliferation of enforcement action, by the
Office of Foreign Assets Control (OFAC) in particular, has forced all businesses, irrespective
of the sectors in which they operate, to consider the adequacy of their sanctions compli-
ance programmes. Add to this the pressure being brought to bear by those companies’ own
business partners to outline the mitigating steps they take to ensure downstream sanctions
compliance, and never has ensuring that an effective sanctions compliance programme is
implemented been more important. This chapter considers the key areas of focus that busi-
nesses and their teams should consider when developing sanctions compliance programmes.
1 Zia Ullah is a partner and Victoria Turner is a principal associate at Eversheds Sutherland. The authors wish to
extend special thanks to associate Lorena Dervishi for her assistance with this chapter.
2 Office of Foreign Assets Control [OFAC], FAQs 25 to 30.
195
© Law Business Research 2021
Principled Guide to Sanctions Compliance Programmes
same strategies that are employed by smaller businesses with only a fraction of the number of
customers or potential sanctions touch points across their business life cycles. As we outline
below, assessing the sanctions risks applicable to any particular business will ensure that the
most proportionate sanctions compliance programme is implemented for that enterprise,
taking into account the levels of resources that are available, or indeed appropriate.
Preventive measures
Prevention is key in terms of sanctions compliance. Regulators across the world take a dim
view of those institutions that fail to identify risks and seek to implement preventative meas-
ures to mitigate those risks. In this regard, sanctions compliance is no different from other
financial crime compliance. However, sanctions compliance has a number of unique and
specific challenges, including the constantly evolving regimes (sometimes daily) and the diffi-
cult position conflicting global regimes can create for global institutions. Being aware of the
challenges that sanctions compliance poses, staying on top of worldwide developments and
anticipating future changes are all key issues when identifying the preventative measures that
should be put in place and to ensure that they continue to operate in an effective manner.
Introducing preventative measures is essential in ensuring that an organisation is
complying with international sanctions. The development of policies and procedures,
customer screening systems, the provision of training, due diligence, transaction monitoring
and transaction screening are all key preventative measures that organisations should consider
putting in place. There is no one-size-fits-all when it comes to sanctions compliance and at
the heart of all compliance programmes should be a risk assessment. Understanding the sanc-
tions risk posed by your business and its third parties is the best place to start when devel-
oping an effective sanctions compliance framework.
Equally, understanding the root causes of apparent violations of sanctions is also extremely
helpful when designing and maintaining an effective sanctions compliance programme and
in identifying the preventative measures that may be appropriate. OFAC has provided some
helpful analysis of the root causes of sanctions violations, which include:
• lack of a formal sanctions compliance programme;
• decentralised compliance functions and lack of a formal escalation process;
• an inefficient or incapable audit function;
• failure to understand the applicability of sanctions;
• facilitation of transactions by non-US persons in respect of US sanctions;
• utilising the US financial system for commercial transactions involving persons or entities
subject to US sanctions;
• inadequate sanctions screening; and
• inadequate due diligence on customers and third parties.3
Many OFAC civil settlements have resulted from voluntary self-disclosures of apparent viola-
tions in which the above-mentioned preventative measures were not taken or were inad-
equate. Understanding where others have failed is a key component of determining whether
your own sanctions compliance programme will be effective.
3 See https://home.treasury.gov/news/press-releases/sm680.
196
© Law Business Research 2021
Principled Guide to Sanctions Compliance Programmes
Although these guidance documents differ in certain elements, they are broadly in agreement
that the general core components of an effective sanctions compliance programme are:
• senior management commitment;
• risk assessment;
• policies, procedures and internal controls;
• training; and
• audit.
4 See https://home.treasury.gov/news/press-releases/sm680.
5 See US Dep’t of Justice’s ‘Guidance on Evaluating Corporate Compliance Programs’ (issued in 2019 and
updated in June 2020) – although this is not specific to sanctions, it is helpful in understanding the approach
enforcement agencies may take when assessing whether or not a compliance framework was adequate.
6 See www.gov.uk/government/publications/financial-sanctions-faqs.
7 See www.handbook.fca.org.uk/handbook/FCG/7/ – in particular Chapter 7, which provides examples of good
practice for sanctions systems and controls.
8 Commission Recommendation (EU) 2019/1318 – although this focuses on compliance programmes for
dual-use trade controls, the overarching principles are arguably relevant to any sanctions compliance programme.
197
© Law Business Research 2021
Principled Guide to Sanctions Compliance Programmes
Risk assessment
As previously stated, risk assessment is at the heart of an effective sanctions compliance
programme. Internal controls (including due diligence and screening), policies and proce-
dures and training cannot be done in an appropriate manner unless a risk assessment has been
conducted and the output is used to inform those elements of the compliance programme.
It is only when an organisation has considered and laid out its inherent sanctions risk that
it can truly start identifying controls and residual risk factors. A sanctions risk assessment
will vary significantly across different business types and sectors. Although there can be no
single approach to take, OFAC notes that a risk assessment ‘should generally consist of a
holistic review of the organisation from top-to-bottom and assess its touchpoints to the
outside world’.9 Equally, from a legal point of view, different legal requirements (including
cross-border requirements) pose different challenges and risks to different businesses.
Understanding the complexity of sanctions and the effects on your own individual business
is vital when implementing and managing an effective compliance programme.
In the United Kingdom, the Financial Conduct Authority (FCA) is clear that ‘a thorough
understanding of financial crime risks [including sanctions] is key if a firm is to apply propor-
tionate and effective systems and controls’.10 Corporate resources are not infinite and one of
the key benefits in conducting a risk assessment is that it enables an organisation to target
resource on the areas of greatest sanctions risk (alongside other financial crime-related areas).
Risk assessments should have a broad scope and should include assessment of:
• customer risk;
• product risk;
9 OFAC, ‘A Framework for OFAC Compliance Commitments’ (dated 2 May 2019), at https://home.treasury.gov/
news/press-releases/sm680.
10 Financial Conduct Authority [FCA], ‘Financial Crime Guide’, Box 2.2.4.
198
© Law Business Research 2021
Principled Guide to Sanctions Compliance Programmes
• geography risk;
• transaction risk; and
• delivery risk.
It is important to identify all potential sanctions risk and, in particular, where it is in the oper-
ation of your business that potential sanctions exposure may lie. As noted in ‘A Framework
for OFAC Compliance Commitments’, sanctions risk not only exists in the day-to-day
operations of a business but also in mergers and acquisitions, particularly where mergers
and acquisitions introduce cross-border considerations. As such, assessing the applicability of
various sanctions regimes to different parts of your business, customers, intermediaries, the
supply chain, counterparties and the geography of each of these is important. As stated previ-
ously, understanding the root causes of apparent sanctions violations is also important and
having an understanding of these root causes will result in a more productive risk assessment.
OFAC has helpfully provided a suggested risk matrix that may be used when assessing
compliance programmes.11
Sanctions compliance programmes typically include, at their most basic, a sanctions policy
and, in some cases, a compliance manual (which may cover more than one area of financial
crime risk). Sanctions policies typically include explanations of what sanctions are, why they
are applicable to the business, why it is important to comply with them, what controls the
business has put in place to ensure compliance, what the obligations of individual employees
are and the consequences of failing to comply with the sanctions compliance programme.
Processes underpinning the internal controls put in place are often set out in a separate
compliance manual or procedures document, along with an appropriate internal reporting
and governance structure and exceptions process.
Internal controls for any financial crime compliance programme must be able to adapt to
ongoing changes and developments. This is particularly important in the context of sanctions
where changes to legal regimes occur frequently, where new entities and individuals are desig-
nated by one or more regulators and where geopolitics frequently result in changes in focus
by different governments across the world. An effective sanctions compliance programme
11 Annex to Appendix A to 31 C.F.R. Part 501, OFAC’s Economic Sanctions Enforcement Guidelines.
199
© Law Business Research 2021
Principled Guide to Sanctions Compliance Programmes
must be able to adapt to these evolutions and this should be built into the framework of the
internal controls.
Although there is generally no legal obligation within primary sanctions legislation to
conduct sanctions screening,12 it is often the only practical way an organisation can ensure
that it does not engage in conduct that would give rise to violations of sanctions. There are
multiple screening tools available to organisations, some of which will no doubt be better
suited to certain industries. However, what is important is that those responsible for the
screening solution within an organisation understand why the tool was selected, how it oper-
ates, how it is calibrated to meet the needs of the organisation and its risk assessment, and
how the underlying logic works. The effectiveness of sanctions screening tools, at both the
customer and transaction levels, should be regularly tested to ensure it is operating within the
parameters the organisation needs and expects.
Having a screening tool working in isolation is unlikely to be effective and the importance
of ensuring it is aligned to a risk assessment and due diligence requirements cannot be under-
stated. An organisation’s risk assessment should inform how a screening solution is utilised,
what is screened and when.
The importance of internal controls is not a new concept. The FCA’s predecessor, the
Financial Services Authority (FSA), fined Royal Bank of Scotland £5.6 million in 2010 as
a result of deficiencies in its systems and controls to prevent breaches of UK financial sanc-
tions. One of the key findings by the FSA was that the bank failed to properly consider what
policies and procedures were required to ensure it did not engage in activity that would
give rise to a violation of the UK sanctions regime. The regulator found that the bank was
not screening certain cross-border payments, that beneficial ownership information was not
adequately recorded and that, therefore, screening of that information was not sufficient.
Moreover, screening solutions were not monitored or reviewed regularly to ensure effective-
ness. Although no specific violations of sanctions were identified, the FSA determined that
the lack of appropriate internal controls gave rise to an unacceptable risk that UK sanctions
could have been breached. The FSA stressed that ‘adequate systems and controls relating to
financial sanctions is an integral part of complying with the [now FCA’s] requirements on
financial crime’.13 This message remains relevant today, and we continue to see action by regu-
lators across the world against organisations not only for actual violations of sanctions but
also because of the lack of adequate internal controls in preventing violations from occurring.
Training
An organisation could design the best sanctions compliance programme ever seen, but
failing to train employees adequately, not only on the programme itself but on the rationale
for having it (including legal and regulatory obligations), is a sure-fire way of ensuring the
compliance programme fails. While technology no doubt plays a significant role in any
compliance programme, the complexity of international sanctions and the need for various
12 In the United Kingdom, the European Union or the United States – although the writers acknowledge that
certain regulated entities may have obligations imposed on them by specific regulators, such as the New York
State Department of Financial Services in the US.
13 FCA Decision Notice, dated 2 August 2010.
200
© Law Business Research 2021
Principled Guide to Sanctions Compliance Programmes
controls to work alongside and in conjunction with each other means that, often, a sanctions
compliance programme is only as good as the people who implement it.
Training can take many forms and what is appropriate for one organisation will not
necessarily be appropriate for another. Organisations that operate across multiple jurisdic-
tions will no doubt need a more detailed training plan than a small organisation based only in
the UK, for instance. Again, the training requirements needed should flow from the outcome
of an organisation’s risk assessment and we would stress that it is important to consider the
root causes of sanctions violations to ensure that these are, where appropriate, addressed
within the training provided. Training may include:
• clear communication of internal controls, policies and procedures to relevant employees;
• internal face-to-face or webinar-based training in respect of sanctions obligations (of
the organisation and individual employees), legal and regulatory requirements, internal
controls and reporting obligations (both internally and externally). Many enforce-
ment authorities and regulators expect to see training being given regularly to relevant
employees, at least once a year; and
• external specialist training for those operating in vital roles within the risk and compli-
ance functions and high-risk areas within a business.
Audit
Once a sanctions compliance programme is implemented, it is important to ensure that it is
regularly tested and evaluated to not only ensure it remains effective, but to ensure that the
programme is being implemented consistently throughout the organisation. Both internal
and external audits are useful in this regard and audits can be carried out on specific aspects
of a compliance programme, or on the programme as a whole.
Audits, whether internal or external, should be independent and should aim to identify
any deficiencies in the compliance programme, make recommendations for improvement
and follow up on action items to ensure audit points are closed off and remediated where
necessary. Linking back to the subject of senior management commitment, it is also recom-
mended that audit functions are held accountable by senior management and that updates
and reports on findings are presented to, and considered by, senior management.
Audit functions should provide a level of challenge to the risk and compliance func-
tion and the sanctions compliance framework. The DOJ has indicated that when assessing
201
© Law Business Research 2021
Principled Guide to Sanctions Compliance Programmes
These questions are equally relevant to the work of an independent audit function.
14 US Dep’t of Justice’s ‘Guidance on Evaluating Corporate Compliance Programs’ (issued in 2019 and updated in
June 2020).
15 See www.gov.uk/government/collections/enforcement-of-financial-sanctions.
16 Split across two fines of £7.69 million and £12.77 million. These fines were reduced by the Economic Secretary
of the Treasury from £11.9 million and £19.6 million originally imposed by OFSI.
17 Namely being in breach of Article 5(3) of EU Council Regulation 833/2014 and Regulation 3B of The Ukraine
(European Union Financial Sanctions) (No. 3) Regulations 2014.
202
© Law Business Research 2021
Principled Guide to Sanctions Compliance Programmes
18 See https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20190409.
19 See https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20190917_33.
20 See https://home.treasury.gov/news/press-releases/sm658.
203
© Law Business Research 2021
Principled Guide to Sanctions Compliance Programmes
sector implements strong and effective compliance programmes that protect the US
financial system from abuse.’
• Union de Banques Arabes et Françaises (UBAF) – OFAC 21
• In January 2021, OFAC announced a $8,572,500 settlement with UBAF, a bank
based in France that concentrates on trade finance facilitation between Europe and
the Middle East, North Africa, sub-Saharan Africa, and Asia. Between 2011 and
2013, UBAF operated US-dollar accounts on behalf of sanctioned Syrian financial
institutions and indirectly conducted business on behalf of these institutions through
the US financial system using US dollars.
• The monetary penalty in this matter could have been much higher, however it was
mitigated in part due to UBAF having a compliance programme in place at the
time of the apparent violations and investing substantial resources into improving
said compliance programme. UBAF had adopted a new Financial Security Charter
and set up a Compliance Committee, provided in-person and e-learning training
for all employees and reviewed its business lines to terminate its relationships with
high-risk entities.
Actions taken by enforcement agencies in the past two years have highlighted the importance
of sanctions compliance programmes. If one is not in place or is not effective, enforcement
agencies will not hesitate in requiring one to be put in place as a condition of a settlement.
Being forced by a regulator or enforcement agency to strengthen a sanctions compliance
programme comes with a number of difficulties, including reputational damage and, in
serious cases, ongoing costs associated with future monitorship by enforcement agencies. It
is far better for an organisation to take the initiative and develop and implement a sanctions
compliance programme on its own terms to protect the business.
Adequate procedures
When faced with potential enforcement action, one of the key questions organisations should
be asking themselves is whether they had adequate procedures in place to prevent sanctions
violations. ‘Adequate procedures’ are not defined in any guidance but generally speaking they
are the measures an organisation has in place to mitigate the risk of sanctions violations.
They are the components of a sanctions compliance programme that have been dealt with in
this chapter.
It is entirely possible for an organisation to have adequate procedures in place and still
experience sanctions violations; no system is perfect. However, being in a position to demon-
strate to an enforcement agency such as OFAC or OFSI that your organisation had adequate
procedures in place may be the difference between a breach being found to be egregious or
not22 and will undoubtedly influence enforcement agencies when they consider whether the
violation has arisen from wilful or reckless conduct by the organisation and its employees.
Being able to demonstrate that adequate procedures were in place, albeit a violation still
occurred, could be significant in ensuring lower penalties.
21 See https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210104_33.
22 Which is relevant when OFAC determines base penalties – see https://www.ecfr.gov/cgi-bin/text-idx?SID=ccac94
aaa0387efe2a9c3fca2dc5a4ab&mc=true&node=ap31.3.501_1901.a&rgn=div9.
204
© Law Business Research 2021
Principled Guide to Sanctions Compliance Programmes
In this regard, the approach to a sanctions compliance programme is similar to that which
an organisation would take under the UK Bribery Act 2010 (UKBA). The UKBA provides a
defence23 to organisations if they are able to show that they had adequate procedures in place
designed to prevent an offence of bribery occurring. Guidance from the UK government24
indicates that establishing adequate procedures should be informed by six guiding principles:
• proportionate procedures;
• top-level commitment;
• risk assessment;
• due diligence;
• communication and training; and
• monitoring and review.
These are all areas that are relevant to an effective sanctions compliance programme and have
been detailed in this chapter. Where the approach differs is that although having adequate
procedures provides a defence against prosecution under the UKBA, the position is not as
clear in respect of sanctions violations that can still occur and be prosecuted (or have civil
action taken) even when adequate procedures were in place. Notwithstanding this, having
adequate procedures in place is a very significant form of mitigation in the context of
sanctions violations.
205
© Law Business Research 2021
Principled Guide to Sanctions Compliance Programmes
206
© Law Business Research 2021
14
Sanctions Screening: Challenges and Control Considerations
Charlie Steele, Sarah Wrigley, Deborah Luskin and Jona Boscolo Cappon1
Background
Economic sanctions have evolved in complexity over time. Total embargoes were formerly
common, and were enacted to completely block trade with disfavoured countries. List-based
sanctions (also known as ‘smart’ sanctions) were later introduced, specifically targeting people
and entities rather than entire countries. The most well-known list-based sanctions are those
maintained by the US, published in the Office of Foreign Assets Control’s (OFAC) Specially
Designated Nationals and Blocked Persons (SDN) List.2 More finely targeted sanctions result
in fewer unintended collateral consequences than embargoes but are often more difficult to
comply with. Screening against targeted sanctions lists presents considerable challenges, given
the complex corporate structures used to obscure underlying sanctioned parties, the inherent
difficulties in name matching, and difficulties in screening for entities that are, directly or
indirectly, 50 per cent or more owned by sanctioned parties, under OFAC’s 50 Percent Rule.
A more recent example of increasing complexity are sanctions that address both entities
and their underlying activities. For example, the US sectoral sanctions3 introduced in 2014 in
response to Russia’s annexation of Crimea, target persons, companies and entities in speci-
fied sectors of the Russian economy (especially energy, finance and armaments), prohibiting
certain types of activity by US persons with individuals or entities operating in those sectors.
This new type of sanctions added another level of complexity to compliance; existing chal-
lenges in correctly identifying sanctioned parties were compounded by the requirement to
also understand the types of activities in which the targets were engaged.
1 Charlie Steele is a partner, Sarah Wrigley is a director and Deborah Luskin and Jona Boscolo Cappon are
associate directors at Forensic Risk Alliance.
2 https://home.treasury.gov/policy-issues/financial-sanctions/specially-designated-nationals-and-blocked-persons-l
ist-sdn-human-readable-lists.
3 https://home.treasury.gov/system/files/126/ukraine_eo3.pdf.
207
© Law Business Research 2021
Sanctions Screening: Challenges and Control Considerations
4 https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf.
5 VI. Sanctions Screening Software or Filter Faults: Many organisations conduct screening of their customers,
supply chain, intermediaries, counterparties, commercial and financial documents, and transactions in order
to identify OFAC-prohibited locations, parties, or dealings. At times, organisations have failed to update their
sanctions screening software to incorporate updates to the SDN List or SSI List, failed to include pertinent
identifiers such as SWIFT Business Identifier Codes for designated, blocked, or sanctioned financial institutions,
or did not account for alternative spellings of prohibited countries or parties – particularly in instances in which
the organisation is domiciled or conducts business in geographies that frequently utilise such alternative spellings
(i.e., Habana instead of Havana, Kuba instead of Cuba, Soudan instead of Sudan, etc.).
6 https://home.treasury.gov/system/files/126/false_hit.pdf.
7 Part 504 of the New York State Banking Regulations in 2017.
8 www.dfs.ny.gov/industry_guidance/transaction_monitoring.
208
© Law Business Research 2021
Sanctions Screening: Challenges and Control Considerations
At a more detailed level, each regulated institution must maintain a sanctions screening
programme that is reasonably designed to interdict transactions prohibited by OFAC and
that includes the following attributes:
209
© Law Business Research 2021
Sanctions Screening: Challenges and Control Considerations
• Periodic training of all stakeholders with respect to the Transaction Monitoring and
Filtering Program.
Although not all financial institutions are subject to these rules (and non-financial entities are
not within their scope), they provide a useful benchmark in evaluating whether a sanctions
screening programme has been designed well and is operating effectively.
In the UK, the Financial Conduct Authority’s (FCA) Financial Crime Guide addresses
compliance with sanctions and asset freezes.9 In the context of a risk assessment, a firm should
understand where sanctions risks reside, considering different business lines, sales channels,
customer types and geographical locations, and should keep the risk assessment current.
Examples of good practices related to sanctions screening include:
• where a firm uses automated systems, these can make ‘fuzzy matches’ (be able to identify
similar or variant spellings of names, name reversal, digit rotation, character manipula-
tion, etc.);
• the firm should screen customers’ directors and known beneficial owners on a
risk-sensitive basis;
• where the firm maintains an account for a listed individual, the status of this account is
clearly flagged to staff; and
• a firm should only place faith in other firms’ screening (such as outsourcers or intermedi-
aries) after taking steps to satisfy themselves that this is appropriate.
In addition to these examples of best practices, the Guide cites a £5.6 million fine by the
FCA’s predecessor against Royal Bank of Scotland (RBS) in 2010, where RBS failed to
adequately screen their customers and payments against the sanctions list, did not ensure its
‘fuzzy matching’ remained effective, and, in many cases, did not screen the names of directors
and beneficial owners of customer companies.
In addition to the OFAC, NYDFS and FCA regulatory guidance referenced above, the
Wolfsberg Group published ‘Guidance on Sanctions Screening’ in 2019.10 The guidance
indicates that sanctions screening should be supported by key enabling functions, such as
policies and procedures, a responsible person, a risk assessment, internal controls and testing.
These areas roughly correspond to the high-level pillars within OFAC’s Framework. In addi-
tion to Wolfsberg’s key enabling functions, the guidance also discusses principles for gener-
ating productive sanctions alerts, the need for metrics and reporting, independent testing and
validation, data integrity, and criteria used to develop screening technology in-house or to
select a vendor to provide such services.
9 www.handbook.fca.org.uk/handbook/FCG.pdf.
10 www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Wolfsberg%20Guidance%20on%20Sanctions%20
Screening.pdf.
210
© Law Business Research 2021
Sanctions Screening: Challenges and Control Considerations
effective sanctions screening programme in relation to the five high-level areas of compliance
articulated in OFAC’s Framework.
211
© Law Business Research 2021
Sanctions Screening: Challenges and Control Considerations
is included in the population of data for screening. In several recent OFAC enforcement
actions, the agency noted absence of relevant data from the sanctions screening process.
• February 2021: BitPay, Inc., a digital currency business, settled with OFAC for
US$507,375 for processing payments for over five years, where they possessed Internet
Protocol (IP) data and some invoice information that indicated the customer was located
in a sanctioned jurisdiction, but did not utilise that information for sanctions screening
purposes.11 BitPay, Inc. screened the merchants, but not the end customers, against rele-
vant sanctions lists, even though they were in receipt of end-customer information. As
a result, customers with IP addresses or invoice information indicating origination in
Crimea, Cuba, North Korea, Iran, Sudan and Syria were able to make purchases from
merchants in the US and elsewhere using digital currency on BitPay’s platform.
• December 2020: BitGo Inc. settled with OFAC for US$98,830 for processing
digital currency transactions for customers with IP addresses in numerous sanctioned
jurisdictions.12
• December 2020: National Commercial Bank settled with OFAC for US$653,347 for
processing payments to sanctioned entities.13 One of the mitigating factors in deter-
mining the penalty included the future ‘required screening of all payments against inter-
national sanctions lists’.
• September 2020: Deutsche Bank Trust Company Americas settled with OFAC for
US$583,100 for processing Ukraine-related payments.14 There were several issues with
their screening software, but one in particular is that they did not include the SWIFT
Business Identifier Code (BIC) in their sanctions screening, which allowed payments to
be made to a designated financial institution.
• June 2019: Western Union settled with OFAC for US$401,697 because a bank in The
Gambia, serving as one of their principal master agents, used a sub-agent that was on
a sanctions list.15 Western Union had erroneously recorded the sub-agent as a location
of the master agent, rather than as a distinct legal entity. There was a process to screen
master agents and sub-agents, but they did not screen the location data for the sub-agents.
Because Western Union mistakenly believed that the Gambia-based company had oper-
ated out of a single location that had been closed, the sub-agent continued to serve as
sub-agent for another month.
• April 2019: Standard Chartered Bank settled with OFAC for US$639,023,750 for several
sanctions violations, including online and mobile banking platforms that, for many years,
did not include comprehensive sanctions screening.16
After all relevant information is gathered, the quality of the data must also be addressed. For
example, typing errors, non-standard inputs, blank values and inconsistent structure can all
impede effective sanctions screening.
11 https://home.treasury.gov/system/files/126/20210218_bp.pdf.
12 https://home.treasury.gov/system/files/126/20201230_bitgo.pdf.
13 https://home.treasury.gov/system/files/126/20201228_NCB.pdf.
14 https://home.treasury.gov/system/files/126/20200909_DBTCA.pdf.
15 https://home.treasury.gov/system/files/126/20190607_western_union.pdf.
16 https://home.treasury.gov/system/files/126/scb_settlement.pdf.
212
© Law Business Research 2021
Sanctions Screening: Challenges and Control Considerations
213
© Law Business Research 2021
Sanctions Screening: Challenges and Control Considerations
• September 2020: Deutsche Bank Trust Company Americas’ September 2020 settlement
with OFAC cited, among other things, the company’s complete lack of fuzzy matching
for names.17
• July 2020: Amazon.com Inc. settled with OFAC for US$134,523 for Amazon’s screening
processes, which did not flag orders with address fields containing an address in ‘Yalta,
Krimea’ for the term ‘Yalta,’ a city in Crimea, nor for the variation of the spelling of
Crimea.18 In another example, Amazon failed to interdict or otherwise flag orders shipped
to the Embassy of Iran located in third countries. Moreover, in several hundred instances,
Amazon’s automated sanctions screening processes failed to flag the correctly spelled
names and addresses of persons on OFAC’s SDN List.
• November 2019: Apple settled with OFAC for US$466,912 for failing to identify that
SIS, an App Store developer, was added to the SDN List and was therefore blocked.19
Apple later attributed this failure to its sanctions screening tool’s failure to match the
upper-case name ‘SIS DOO’ in Apple’s system with the lower-case name ‘SIS d.o.o.’ as
written on the SDN List. The term ‘d.o.o.’ is a standard corporate suffix in Slovenia iden-
tifying a limited liability company.
• October 2019: The General Electric Company settled with OFAC for US$2,718,581 for
accepting payments from an entity on the SDN List.20 The sanctioned entity was Cobalt
Refinery Company, or Corefco. The payments contained Cobalt’s full legal entity name
as it appears on OFAC’s SDN List as well as an acronym for Cobalt (‘Corefco’), but the
GE Companies’ sanctions screening software, which screened only the abbreviation of the
SDN’s name, never generated an alert on Cobalt’s name.
• November 2018: Cobham Holdings, Inc. settled with OFAC for US$87,507 for
screening software that failed to generate an alert against JSC AlmazAntey (as identified
on the SDN List) for payments made to Almaz Antey Telecommunications LLC.21 The
third-party screening software relied on by Cobham used an ‘all word’ match criteria that
would only return matches containing all of the searched words, even though Cobham
had set the search criteria to ‘fuzzy’ to detect partial matches. This meant that the soft-
ware failed to match ‘Almaz Antey’ when Cobham searched for ‘Almaz Antey Telecom.’
Almaz-Antey Telecommunications LLC was 51 per cent owned by the SDN.
• October 2018: OFAC issued a Finding of Violation to JPMorgan Chase Bank – formally
determining that the bank had committed violations, but declining to impose a monetary
penalty – because the bank’s screening software did not identify SDN-listed persons.22
From 2007 to October 2013, they used a vendor screening system that failed to identify
customers with potential matches to the SDN List. The system’s screening logic capabili-
ties failed to identify customer names with hyphens, initials, or additional middle or last
names as potential names. After transitioning to a new system in 2013, JPMC re-screened
17 https://home.treasury.gov/system/files/126/20200909_DBTCA.pdf.
18 https://home.treasury.gov/system/files/126/20200708_amazon.pdf.
19 https://home.treasury.gov/system/files/126/20191125_apple.pdf.
20 https://home.treasury.gov/system/files/126/20191001_ge.pdf.
21 https://home.treasury.gov/system/files/126/20181127_metelics.pdf.
22 https://home.treasury.gov/system/files/126/jpmc_10050218.pdf.
214
© Law Business Research 2021
Sanctions Screening: Challenges and Control Considerations
188 million clients’ records through the new system and reported the historical violations
to OFAC.
All of the enforcement examples described above show that failures as to completeness of
data and fuzzy matching can lead to ineffective sanctions screening and enforcement actions.
On a related note, one of OFAC’s and the UK’s Office of Financial Sanctions
Implementation’s (OFSI) ‘mitigating factors’ used to determine the final civil penalty amount
is the strength of an entity’s sanctions compliance programme, including the screening compo-
nent. OFAC gave mitigation credit to several companies that implemented or improved their
sanctions screening programmes after detecting violations, including the following:
• BitPay, Inc.’s February 2021 settlement with OFAC noted that the company’s changes to
its compliance programme included blocking of IP addresses that appear to originate in
sanctioned jurisdictions, including end-customer information in the screening process,
and launching a new customer identification tool for merchant’s buyers.23
• In a January 2021 settlement with OFAC, PT Bukit Muria Jaya procured sanctions
screening services from a third-party provider.24
• In a January 2021 settlement, OFAC noted that Union de Banques Arabes et Francaises
now utilises the sanctions screening software used by their largest shareholder, which
includes screening the client database, an anti-stripping module, negative news research,
risk database research, vessel screening and country screening.25
• BitGo, Inc.’s December 2020 settlement with OFAC noted that the company now
performs IP address blocking, as well as email-related restrictions for sanctioned jurisdic-
tions, and performs periodic batch screening, reviews of screening configuration criteria
on a periodic basis, screening all ‘hot wallets26‘ against the SDN List, including cryptocur-
rency wallet addresses identified by OFAC, and a retroactive batch screen of all users.27
• In a December 2020 settlement, OFAC noted that National Commercial Bank now
requires screening of all payments against international sanctions lists, and requires sanc-
tions checks during account openings.28
• Amazon.com Inc.’s July 2020 settlement with OFAC notes several improvements to
the company’s screening processes, including employment of internal and third-party
sources to conduct thorough reviews of Amazon’s automated screening systems to address
screening failures, incorporation of additional automated preventative screening controls,
development of internal custom screening lists to minimise the risk of processing transac-
tions that raise sanctions compliance concerns, and enhancement of its sanctioned juris-
diction IP blocking controls and implementation of automated processes to continually
update its mapping of IP ranges associated with sanctioned jurisdictions.29
23 https://home.treasury.gov/system/files/126/20210218_bp.pdf.
24 https://home.treasury.gov/system/files/126/20210114_BMJ.pdf.
25 https://home.treasury.gov/system/files/126/01042021_UBAF.pdf.
26 Cryptocurrency wallet that is online and connected in some way to the internet.
27 https://home.treasury.gov/system/files/126/20201230_bitgo.pdf.
28 https://home.treasury.gov/system/files/126/20201228_NCB.pdf.
29 https://home.treasury.gov/system/files/126/20200708_amazon.pdf.
215
© Law Business Research 2021
Sanctions Screening: Challenges and Control Considerations
Finally, it is important to note that the examples thus far have focused on identifying matches
for list-based sanctions targets. As noted above, there are other types of sanctions that are
more targeted and complex – for example, OFAC’s sectoral sanctions, which focus on enti-
ties and activities.32 In 2019, Haverly Systems, Inc. settled an OFAC enforcement action
for US$75,375 after it invoiced JSC Rosneft, a Russian oil company, to be payable within
90 days.33 The invoices were not paid within that time frame and this violated Directive
2 under the Russia sectoral sanctions, which prohibited dealing in new debt of greater than
90 days maturity. Similarly, Standard Chartered Bank was fined over £20 million by the UK’s
OFSI for loans with maturity over 30 days to specific entities as part of the Ukraine sanctions.34
Another example is the recent ban on US-person investment in Communist Chinese
Military Companies (CCMCs) on public exchanges; this involves identification of both the
investor (are they a US person?) and the activity (does this transaction involve investment in
or derivative of, or provide investment exposure to, securities in the 44 specified CCMCs?).35
As sanctions include more complex, targeted criteria, the methods needed to ensure compli-
ance likewise become more complex, in some cases requiring companies to flag both the
entity and the activity to determine if potential sanctions violations have occurred.
OFAC’s 50 Percent Rule adds an additional element to screening complexity. Under this
rule, the property and interests in property of an entity are blocked if the entity is owned,
directly or indirectly, 50 per cent or more by one or more persons whose property and inter-
ests in property are blocked.36 This rule means that screening may require tools that review
and assess an entity’s ownership structure, and do not just stop at a review against designated
parties’ lists.
The Wolfsberg Group’s sanctions screening guidance contains a discussion regarding the
assessment of which data elements to screen.37 Specifically, the guidance states:
Names of parties involved in the transaction are relevant for list based sanctions programmes,
whereas addresses are more relevant to screening against geographical sanctions programmes
and can be used as identifying information to help distinguish a true match from a false
match. Other data elements, such as bank identification codes, may be relevant for both list
30 https://home.treasury.gov/system/files/126/20200226_sita.pdf.
31 https://home.treasury.gov/system/files/126/20190612_hotelbeds_0_1.pdf.
32 https://home.treasury.gov/system/files/126/ukraine_eo3.pdf.
33 https://home.treasury.gov/system/files/126/20190425_haverly.pdf.
34 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/
file/876971/200331_-_SCB_Penalty_Report.pdf.
35 https://home.treasury.gov/system/files/126/13959.pdf.
36 https://home.treasury.gov/system/files/126/licensing_guidance.pdf.
37 https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Wolfsberg%20Guidance%20on%20
Sanctions%20Screening.pdf.
216
© Law Business Research 2021
Sanctions Screening: Challenges and Control Considerations
and geographically based sanctions programmes. In a sanctions context, some data elements
are more relevant when found in combination with other attributes or references. For
example, detection of sectoral sanctions risk typically requires detection of multiple factors,
such as those where both the targeted parties and the prohibited activities are involved.
Many controls may not be capable of detecting both factors simultaneously and, therefore,
may not be effective.
Auditing
Evaluating the auditing component of the sanctions compliance programme involves three
key areas of focus with respect to screening. One is determining if the configuration of
automated screening tools is explicitly tied to the sanctions risk assessment. The second is
performing an independent evaluation of the software configuration and results. This can
be accomplished through an independent party that re-scans existing customers or transac-
tions to determine if they receive similar results. Finally, it is important to determine how
the company gains comfort over the outsourcing of any elements of the screening process.
Where the entity relies on external parties to provide timely updated sanctions lists, or to
screen against the lists and provide alerts, the company needs to confirm for itself whether or
not those results match the configuration.
Training
There are two key aspects to evaluating the training component of the sanctions compliance
programme as it relates to screening. The first is determining if those charged with managing
the sanctions screening process received specialised training that may include sanctions
evasion techniques, data analytic methods related to fuzzy matching, and language or cultural
training for understanding how names and punctuation differ between countries. The second
is incorporating information learned during the potential sanctions match process into the
sanctions training that is provided to the company widely. For example, after GE discovered
the alleged sanctions violations noted above, during testing and auditing of its compliance
217
© Law Business Research 2021
Sanctions Screening: Challenges and Control Considerations
Conclusion
Complete and accurate sanctions screening is a critical component of any successful sanctions
compliance programme. Many companies utilise automated sanctions screening tools to flag
potential sanctions matches for further review. Regulators expect proper oversight and effec-
tive use of these sanctions screening programmes, which is evidenced in the recent settlement
agreements for both financial and non-financial entities. While many entities focus on the
capabilities of a sanctions screening programme, it is important to remember that a successful
programme also requires proper oversight, a clear mapping between relevant sanctions risks
for the entity and the sanctions screening configuration, and regular review to ensure results
are complete, accurate and efficient.
218
© Law Business Research 2021
15
Navigating Conflicting Sanctions Regimes
Introduction
The ever-increasing globalisation of business means that many companies now operate to
some extent in two or more jurisdictions. This requires companies to be cognisant of trade
laws in other jurisdictions, in particular export control laws and sanctions regimes. When
those regimes conflict, or a jurisdiction’s laws apply extraterritorially, companies are left grap-
pling with decisions about whether it is lawful to proceed with transactions.2
This is particularly true of the sanctions regimes in place in the United States and the
European Union, which are the focus of this chapter. Measures imposed by each government
or body often follow a common policy objective and will typically be agreed collectively by
the United Nations Security Council. However, policy objectives sometimes diverge and
can be driven by regional political dynamics. This has been the case in the past in relation
to measures imposed by the United States on Cuba and the different approaches taken by
the United States and the European Union more recently in relation to the reimposition of
measures on Iran.
For those regimes in which the United States has implemented secondary sanctions, for
example Russia, even companies without a US presence may face punishment – in the form
of designation under those sanctions – for carrying on certain business contrary to the US’s
Russia sanctions. This is even the case for EU-based companies that are carrying on busi-
ness in compliance with the EU’s own Russia/Ukraine sanctions. We consider the effects of
secondary sanctions on non-US persons below.
For companies subject to both US and EU sanctions regimes, compliance with both is
complicated by the EU’s blocking legislation, which has recently been updated in light of the
1 Cherie Spinks is of counsel at Simmons & Simmonds LLP. Bruce G Paulsen is a partner and Andrew Jacobson is
an associate at Seward & Kissel.
2 Conflicts of law issues involving China and Hong Kong are dealt with in Chapters 11 and 12 of this Guide.
221
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
US’s position on Iran.3 We discuss the background to, and application and enforcement of,
the blocking legislation below.
This chapter also considers the US anti-boycott laws and provides guidance on advising
clients on managing conflicting regimes in that context. The conduct of risk assessments, due
diligence and approaches to contractual sanctions clauses are also covered.
Following the UK’s withdrawal from the EU, the UK’s autonomous sanctions regime has
emerged creating potential further conflicts for businesses operating globally. We comment
at the end of this chapter on the UK’s blocking provisions following Brexit.
Blocking regulation
Historical perspective
The United States has historically embraced embargoes and economic sanctions to facilitate
its foreign policy objectives, including when confronted by the competing foreign policy
interests of Europe and other world powers. Notably, in the late 1970s, the United States
enacted the Export Administration Act of 1979 (the EAA), which provided the President
with broad authority over US exports.4
The Reagan Administration used the EAA’s power over US exports to confront the Soviet
Union’s interests during the Cold War. Specifically, the Reagan Administration deployed an
economic embargo5 to target the construction of a Europe–Siberia pipeline, fearing that the
Soviets would use it to leverage support from western Europe and strengthen its military
3 In January 2019, the E3 (the governments of France, Germany and the United Kingdom) established a special
purpose vehicle, the Instrument in Support of Trade Exchanges [INSTEX], designed to facilitate legitimate
trade between European businesses and Iran to mitigate the effect of the US Iran sanctions. INSTEX creates
a ledger that offsets balances between its members (which also now include Belgium, Denmark, Finland, the
Netherlands, Norway and Sweden) when goods are traded – the intention being that payments will only be
made between the businesses importing and exporting from Iran, with no transfer of US dollars to Iran from
the European Union. On 31 March 2020, the UK government confirmed that the first transaction had been
completed on INSTEX (see www.gov.uk/government/news/instex-successfully-concludes-first-transaction).
4 Export Administration Act of 1979, Pub. L. No. 96-72, 93 Stat. 503 (1979) [EAA]. Specifically, the EAA
provided the President with authority to ‘prohibit or curtail the exportation of any goods, technology, or other
information subject to the jurisdiction of the United States, to the extent necessary to further significantly the
foreign policy of the United States or to fulfil its declared international obligations’. id., § 6(a)(1).
5 The US trade embargo required US companies to obtain a licence before exporting certain commodities and
technologies relating to oil and gas transportation to the Soviet Union, and the restrictions were eventually
expanded to include the dissemination of goods and technology by European-based subsidiaries and licensees of
American businesses. See Patrizio Merciai, ‘The Euro-Siberian Gas Pipeline Dispute – A Compelling Case for
the Adoption of Jurisdictional Codes of Conduct’, 8 Maryland J. of Int’l L. 1, 11-12 (1984); Jae-Seung Lee and
Daniel Connolly, ‘Pipeline Politics between Europe and Russia: A Historical Review from the Cold War to the
Post-Cold War’, 14 Korean J. of Int’l Studies [Lee and Connolly] 105, 111 to 113 (April 2016); Joseph Roussel,
‘The Pipeline Revisited’, 21 Gov. & Opposition [Roussel] 218, 219 (Spring 1986); Sarah J Cogswell, ‘In the Wake
of the Pipeline Embargo: European-United States Dialogue’, 12 Fla. St. U.L. Rev. [Cogswell] 73, 78 (Spring
1984); Gary H Perlow, ‘Taking Peacetime Trade Sanctions to the Limit: The Soviet Pipeline Embargo’, 15 Case
W. Reserve J. of Int’l L. 253, 253, 254 (1983).
222
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
interests.6 Despite the US’s efforts to curtail Soviet influence, the embargo was short-lived
and by the winter of 1982, it was repealed, due in large part to European protests.7
Similar to the US’s efforts to curtail Soviet influence in Europe during the Cold War,
the Cuban Liberty and Democratic Solidarity (Libertad) Act of 1996 (known as the
Helms-Burton Act) was enacted in an effort to rectify US nationals whose property was
confiscated by the Cuban Government following the Cuban revolution, and deter foreign
companies from establishing economic relations with Cuba.8 Notably, the Helms-Burton
Act’s most significant provision was the authorisation for US nationals to sue companies or
individuals that had confiscated or trafficked in confiscated property from Cuba.9
The Helms-Burton Act has a renewed relevance today. Although it is not a formal
economic sanctions programme, it certainly has affected US and foreign companies that have
previously done business in Cuba and with the Cuban government, and those that seek to
do so in the future.
US secondary sanctions
In the mid 1990s, the United States continued to implement economic sanctions targeting
non-US companies and individuals who did business in countries hostile to the United States.
In 1996, for example, the United States enacted the Iran and Libya Sanctions Act of 1996
(now known as the Iran Sanctions Act), the aim of which is to deter investment by non-US
companies in Iran and Libya by imposing sanctions on companies and individuals that made
investments contributing to Iran’s or Libya’s petroleum sectors. Like the Trans-Siberian pipe-
line embargo and the Helms-Burton Act, the Iran Sanctions Act was condemned as ‘extra
territorially’ illegal and a violation of international law by many of the US’s trading partners.10
The Iran Sanctions Act opened the door for more expansive secondary sanctions and
the United States continued that trend into the twenty-first century, including with imple-
mentation of the Comprehensive Iran Sanctions, Accountability, and Divestment Act of
2010 (secondary sanctions targeting Iran’s energy sector and foreign financial institutions
223
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
that engage in certain transactions with Iran), Countering America’s Adversaries Through
Sanctions Act in 2017 (secondary sanctions against Russia, North Korea and Iran), and the
US’s withdrawal from the Joint Comprehensive Plan of Action (JCPOA) in 2018, which
reimposed many of the secondary sanctions against Iran that had been paused as a result
of the Iran nuclear deal. In short, despite the challenges posed by the blocking laws of the
European Union and the opposition of other government bodies, the United States has
continued to implement and enforce sanctions targeting non-US companies and individuals
that transact with countries hostile to the US’s foreign policy interests.
224
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
• any national of a Member State established outside the European Union and any ship-
ping company established outside the European Union and controlled by nationals of
a Member State, if their vessels are registered in that Member State in accordance with
its legislation;
• any other natural person being a resident in the European Union, unless that person is in
the country of which he or she is a national; and
• any other natural person within the EU, including its territorial waters and air space and
in any aircraft or on any vessel under the jurisdiction or control of a Member State, acting
in a professional capacity.13
In August 2018, the European Commission (the Commission) sought to clarify the posi-
tion of EU subsidiaries of US companies and subsidiaries of EU companies in the United
States.14 Subsidiaries of US companies that have their registered office, central administration
or principal place of business within the European Union are considered to be ‘EU operators’
and therefore subject to the EU Blocking Regulation. This is not the case for EU branches of
US companies since they do not have distinct legal personality from their parent company.15
Nor is it the case for US-based subsidiaries of EU companies that will be subject to the law
under which they are incorporated (i.e., generally US law). Their parent companies will of
course be EU operators and therefore subject to the provisions of the Blocking Regulation.
The main provisions of the Blocking Regulation are as follows:
• EU operators are prohibited from complying, actively or by deliberate omission, with any
requirement or prohibition specified in the measures set out in the Annex.16 However,
EU operators may be authorised by the Commission to comply fully or partially with any
of the legislation set out in the Annex if to do otherwise would seriously damage their
interests or those of the European Union.17
• No decisions of non-EU courts, tribunals or administrative authorities giving effect to the
measures set out in the Annex or any actions based thereon or resulting therefrom shall be
recognised or enforceable within the European Union.18
• If the economic or financial interests of any EU operator are affected by the legislation
set out in the Annex (or by actions based thereon or resulting therefrom), they must
inform the Commission (or their own competent sanctions authority) within 30 days
225
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
of the date on which they obtain that information.19 The reporting obligation applies to
directors, managers and other persons with management responsibilities. In addition, the
Commission has the power to request additional information.
• Penalties for non-compliance with the Blocking Regulation are to be imposed by each
Member State. Article 9 requires that any such sanctions ‘must be effective, proportional
and dissuasive’.
The terms of the Blocking Regulation are unclear in a number of ways; for example, in respect
of the prohibition on European companies from ‘complying’ with the measures set out in
the Annex. In this context, ‘complying’ might be interpreted to mean that business should be
conducted in line with the requirements of the relevant measures. Does this therefore mean
that European businesses are prohibited from actively deciding that they should not do busi-
ness in Iran or Cuba because to do otherwise might suggest that they are complying with
US economic sanctions? In the EU Guidance Note, the Commission’s response is as follows:
EU operators are free to conduct their business as they see fit in accordance with EU law and
national applicable laws. This means that they are free to choose whether to start working,
continue, or cease business operations in Iran or Cuba, and whether to engage or not in an
economic sector on the basis of their assessment of the economic situation. The purpose of
the Blocking Statute is exactly to ensure that that [sic] such business decisions remain free,
i.e., are not forced upon EU operators by the listed extra-territorial legislation, which the
Union law does not recognise as applicable to them.20
The impact of the ‘extraterritoriality’ of the US legislation creates another area of uncertainty.
Since the purpose of the Blocking Regulation is to counteract the extraterritorial effect of
the measures specified in the Annex, the prohibition under Article 5 will apply only to the
extent that measures apply extraterritorially to EU operators. Determining this will largely
be a question of fact. In addition, it is unclear whether the Article 5 prohibition applies to
US secondary sanctions as well as primary sanctions. US primary sanctions typically apply to
entities and individuals that have a US nexus (e.g., US persons, companies organised under
the laws of the United States, those using the US financial system, among others), while
secondary sanctions are intended to target entities and individuals, regardless of their connec-
tions to the United States (e.g., companies organised in foreign jurisdictions, individuals not
located in, or citizens of, the United States, among others). Given that primary sanctions
do not typically apply extraterritorially therefore to EU companies (with the exception of
EU-incorporated subsidiaries of US companies), it might be concluded that primary sanc-
tions are not within scope of the Blocking Regulation and, therefore, EU companies are free
to conduct their affairs in line with those sanctions if they so desire. However, the Blocking
Regulation and the EU Guidance Note do not provide clarity either way on this matter.
19 id., at Article 2.
20 EU Guidance Note – Questions and Answers: adoption of update of the Blocking Statute, Question 5.
226
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
21 Extraterritorial US Legislation (Sanctions against Cuba, Iran and Libya) (Protection of Trading Interests) Order
1996, Article 2.
22 The German Foreign Trade and Payments Ordinance.
23 Only one enforcement case has been reported. In 2007, an Austrian Bank (BAWAG) was subject to
administrative proceedings for breaching the Blocking Regulation following closures of accounts held by
Cuban nationals. The bank allegedly closed the accounts to facilitate its acquisition by a US private equity firm.
Proceedings were ultimately dropped following reinstatement of the customers’ accounts.
24 The Commission has acknowledged that EU operators might decide not to engage in certain activities as a result
of commercial business considerations rather than to comply with US legislation, and furthermore that it will
not usually be possible to establish that the decision is as a direct result of US legislation rather than commercial
considerations (answer given by Vice President Mogherini to parliamentary questions E-007804/2014 on
1 April 2015).
25 Case C-124/20, at http://curia.europa.eu/juris/showPdf.jsf?text=&docid=225701&pageIndex=0&doclang=en&
mode=lst&dir=&occ=first&part=1&cid=833930.
227
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
is sufficient for its application that the action of the EU operator is predicated on compliance
with secondary sanctions. A ruling is yet to be made.26
Separately, Article 6 of the Blocking Regulation provides that any EU operator shall be
entitled to recover any damages and legal costs caused to that person by the application of
the laws specified in the Annex. This provision is broad and leaves open the possibility that a
claim could, for example, be made against the US government for losses caused.27
Despite the restrictions imposed by blocking measures enacted by the European Union
and others, OFAC has not indicated an interest in easing enforcement for US companies or
their foreign subsidiaries that operate in sanctioned jurisdictions. In fact, OFAC’s Framework
for Compliance Commitments, issued in May 2019, does not reference the Blocking
Regulation, and US authorities take the view that companies whose transactions have a nexus
to the United States must abide by US sanctions, regardless of the local restrictions that
companies or individuals might have.28
228
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
In addition, it is vital that parties do not breach the terms of the Blocking Regulation
by agreeing to comply with relevant US measures (as set out in the Annex to the Blocking
Regulation). Typically, agreements will require parties to confirm that they have not, and
will not, breach relevant sanctions. If a US person is involved in such an agreement, relevant
sanctions will be defined to include US sanctions and limits will be placed on dealing with
persons designated by OFAC under those sanctions.30 Article 5 of the Blocking Regulation
could be interpreted widely to mean that compliance with such terms amounts to ‘complying’
under Article 5.31
To work around the implications of the Blocking Regulation, contractual parties often
carve out the terms of that Regulation from an obligation to comply with US sanctions.
In those circumstances, a compliance with sanctions clause would not be applicable to the
extent that is inconsistent with the Blocking Regulation.
German nationals (legal and natural) are prohibited from issuing or participating in a
boycott declaration.32 Terms that define the breach of a sanctions clause as an event of default
under the contract might also fall foul of the anti-boycott legislation since the party in breach
would suffer adverse consequences. German contractual parties therefore typically seek to
include a carve out from compliance with sanctions that are inconsistent with the terms of
the anti-boycott legislation and that either opt in or opt out of particular terms.
An alternative approach is for contractual parties to limit terms relating to compliance
with sanctions to the facts of a specific transaction. For example, it may not be necessary for
parties to agree to continuing compliance with US sanctions on Iran if they carry out no
business in Iran or with Iranian parties. When permitting a counterparty to adopt such an
approach, it is recommended that due diligence is undertaken, for example, to obtain a clear
understanding of the counterparty’s business, likely use of funds (in a financing arrangement)
and to determine the legal possibility and risk of that party breaching US sanctions.
of Foreign Assets Control [OFAC] designated Lamesa’s ultimate beneficial owner as a specially designated
national [SDN], meaning that Lamesa fell within the scope of US secondary sanctions. Cynergy refused to
make repayments under the Agreement, as continuing to do so carried a risk that Cynergy itself might be
sanctioned as the payments might be categorised as a ‘signification financial transaction’ with a US-sanctioned
entity. The Agreement did not expressly define US secondary sanctions within scope of the term ‘a mandatory
provision of law’; however, Cynergy argued that they were and therefore an implied obligation could be read
into the Agreement not to knowingly facilitate significant financial transactions on behalf of a secondary
sanctioned entity. Among other things, Lamesa argued that US secondary sanctions had no legal effect in the
United Kingdom and therefore Cynergy faced exposure to penalties or the risk that it could become subject to
sanctions itself.
30 Consistent with comments made earlier in this chapter, it is possible that agreement to comply with US primary
sanctions would not fall foul of Article 5 since US primary sanctions do not typically apply to EU operators.
31 However, the English High Court in Mamancochet Mining Ltd v. Aegis Managing Agency Ltd & Ors [2018]
EWHC 2643 (Comm) stated on an obiter basis that the Blocking Regulation was not engaged if an insurer’s
liability to pay a claim was suspended under a sanctions clause, as an insurer was not ‘complying’ with a third
country’s prohibition, but was simply relying on the terms of the policy to refuse payment of a claim.
32 German Foreign Trade and Payment Act, Section 7. Sanctions imposed by the United Nations, European Union
or German government are outside the prohibition.
229
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
US anti-boycott laws
Overview
The current iteration of the US’s anti-boycott laws were first enacted in the middle to late
1970s with the Ribicoff Amendment to the Tax Reform Act of 1976 (TRA) and the EAA.
Both statutes were enacted in response to the Arab League’s boycott of Israel, although neither
explicitly referenced Israel or the Arab League’s boycott. The US Department of Commerce’s
Bureau of Industry and Security (BIS) administers and enforces the EAA’s anti-boycott provi-
sions through the Export Administration Regulations (EAR), while the US Department of
the Treasury is responsible for administering and enforcing the TRA’s anti-boycott provisions,
which are contained in Section 999 of the Internal Revenue Code.33
Applicability
The EAR’s anti-boycott restrictions apply to the activities of US persons that do business
in the interstate or foreign commerce of the United States.34 The EAR defines ‘US person’
as ‘any person who is a United States resident or national, including individuals, domestic
concerns, and “controlled in fact” foreign subsidiaries, affiliates, or other permanent foreign
establishments of domestic concerns’.35
Similarly, the anti-boycott provisions of the TRA, which are contained in Section 999 of
the Internal Revenue Code, apply to any US person, defined as a citizen or resident of the
United States, a domestic partnership, a domestic corporation, any estate (other than a
foreign estate), and any trust subject to US supervision or control.36
33 In 2018, Congress enacted the Export Control Reform Act and the Anti-Boycott Act of 2018, which provided
permanent statutory authority for the Export Administration Regulations [EAR]. See NDAA for Fiscal Year
2019, P.L. No. 115–232 (21 August 2018); see also 50 U.S.C. §§ 4812, 4841 to 4843. Recently, the Treasury
Department removed the United Arab Emirates (UAE) from its current list of countries that require or may
require participation in, or cooperation with, an international boycott within the meaning of Section 999(b)
(3) of the Internal Revenue Code. See Federal Register Notice, U.S. Department of the Treasury (April 8,
2021), at www.federalregister.gov/documents/2021/04/08/2021-07244/list-of-countries-requiring-coop
eration-with-an-international-boycott.
34 Examples of ‘interstate or foreign commerce’ of the United States include the sale, purchase or transfer of goods
or services (including information) between two or more states, any state and any territory or possession of the
United States, two or more territories or possessions of the United States, or a state, territory or possession of the
United States and any foreign country. See 15 C.F.R. § 760.1(d)(1), Guidance (1).
35 15 C.F.R. § 760.1(b). However, the concept of ‘US person’ does not include an individual US national who is a
resident outside the United States and who is either employed permanently or temporarily by a non-US person
or assigned to work as an employee for, and under the direction and control of, a non-US person. 15 C.F.R.
§ 760.1(b)(v)(4). The definition of ‘US person’ under the EAR is therefore narrower than the concept under the
US’s economic sanctions laws, regulations and executive orders, which typically define US persons to include
US citizens, regardless of whether they are located within or outside the United States. In short, the EAR applies
to US residents and nationals, including those travelling outside the territory, but US residents and nationals that
are employed by non-US persons are generally exempted from the EAR’s anti-boycott requirements.
36 See 26 U.S.C. § 7701(a)(30); Issuance of New Boycott Guidelines, 43 Fed. Reg. 3454 (25 January 1978).
Unlike the EAR, the Tax Reform Act of 1976 generally applies to any US taxpayer or member of a controlled
group, including a foreign subsidiary with more than half of its shares owned by a US parent company, and its
consequences are not restricted by a US commerce test. See 26 U.S.C. §§ 999(a)(1), 993(a)(3), 1563(a).
230
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
Prohibitions
The EAR prohibits a wide range of conduct relating to unauthorised boycotts. Specifically,
US persons may not:
refuse, knowingly agree to refuse, require any other person to refuse, or knowingly agree to
require any other person to refuse, to do business with or in a boycotted country, with any
business concern organized under the laws of a boycotted country, with any national or
resident of a boycotted country, or with any other person, when such refusal is pursuant to
an agreement with the boycotting country, or a requirement of the boycotting country, or a
request from or on behalf of the boycotting country.37
Reporting requirements
Under the EAR, all US persons are required to report to BIS once a quarter whenever they
receive a ‘request to take any action which has the effect of furthering or supporting a restric-
tive trade practice or boycott fostered or imposed by a foreign country against a country
friendly to the United States or against any United States person’.40 Such a request can either
37 15 C.F.R. § 760.2(a)(1). Unlike the strict liability standard applied for violations of US sanctions, ‘intent’ is a
necessary element for an EAR anti-boycott violation; § 760.1(e)(3). Specifically, the EAR prohibits US persons
from taking or knowingly agreeing to take certain actions with the ‘intent to comply with, further, or support
an unsanctioned foreign boycott’; § 760.1(e)(1). Thus, a US person who ‘inadvertently, without boycott intent,
takes a prohibited action’, does not violate the EAR’s anti-boycott prohibitions contained in Section 760.2;
§ 760.1(e)(3). Notably, the EAR states that ‘intent’ does not mean that one has to agree with the boycott in
question, desire that the boycott succeed, or seek that the boycott be furthered or supported; § 760.1(e)(4).
Rather, the reason or purpose for an action can be proved by circumstantial evidence; § 760.1(e)(5).
38 15 C.F.R. § 760.2(d)(1). However, the prohibition on furnishing information does not apply to the furnishing
of normal business information in a commercial context, including information regarding financial fitness,
technical competence, or professional experience; § 760.2(d)(3).
39 26 U.S.C. § 999(b)(3).
40 15 C.F.R. § 760.5(a)(1). Notably, there are certain requests or actions that are not required to be reported
under the EAR, which are set forth in Section 760.5(a)(5). For example, US persons who are the owner, master,
charterer or employee of a vessel, aircraft, truck or certain other mode of transportation, are not required to
231
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
be verbal or in writing, and can include a request to furnish information or enter into or
implement an agreement. It may also include a solicitation, directive, legend or instruc-
tion that asks for information or that requests a US person to take or refrain from taking a
particular action.41
Under the TRA, US persons must annually report the receipt of any requests to partici-
pate in or cooperate with a boycott, regardless of whether they plan to assent to any request.42
Section 999’s reach is broad, such that if the taxpayer ‘knows or has reason to know that
participation in or cooperation with an international boycott is required as a condition of
doing business’ within a boycotting country or with a boycotting entity, the taxpayer must
report, regardless of whether it has direct contact with that country or entity.43
report requests that they provide a certificate demonstrating their eligibility to enter a particular port; 15 C.F.R.
§ 760.5(a)(5)(viii).
41 15 C.F.R. § 760.5(a).
42 26 U.S.C. § 999(a)(2).
43 26 U.S.C. § 999(a)(1)(B).
44 15 C.F.R. Appendix Supplement No. 2 to Part 766, Note to Paragraph (c)(1), at https://www.law.cornell.edu/
cfr/text/15/appendix-Supplement_No_2_to_part_766.
45 50 U.S.C. § 4843(a).
46 See 15 C.F.R. § 764.8(a); 15 C.F.R. App’x Supp. No. 2 to Part 766(d)(2)(i)(A).
47 See 26 U.S.C. § 999(b)(1); IRS Form 573 (Rev. Sept. 2018); see also Rufus Von Thulen Rhoades and
Marshall J Langer, U.S. International Taxation and Tax Treaties, §§ 11.01, 11.03 (2020).
48 26 U.S.C. § 999(f).
49 id.
232
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
charterparty agreement for a vessel transporting petroleum in the Middle East could be a red
flag that necessitates further enquiry to ensure there is no violation of the anti-boycott laws.
Third, attention should be given to requests to furnish information, including, for example,
information regarding prior port calls or business activity in Israel or other boycotted jurisdic-
tions. Finally, those subject to US anti-boycott laws should consider the exceptions contained
in the EAR and other laws, including those that permit certain activities necessary to comply
with local law in foreign jurisdictions.50
50 The EAR contains several exceptions that apply and determining whether an anti-boycott violation has occurred
is often dependent on the particular facts and circumstances of the conduct. See, generally, 15 C.F.R. §§ 760.2,
760.3.
51 While transactions with non-SDN nationals of certain sanctioned jurisdictions might be permissible if done
outside those territories, the US’s sanctions against Cuba, for example, generally prohibit transactions with
Cuban nationals, wherever located.
52 See, e.g., CSE Global Limited/CSE TransTel Pte Ltd Settlement, US Treasury Department’s Office of Foreign
Assets Control [OFAC] (27 July 2017), at https://home.treasury.gov/system/files/126/20170727_transtel.
pdf; PT Bukit Muria Jaya Enforcement Action, (14 January 2021), at https://home.treasury.gov/system/
files/126/20210114_BMJ.pdf; Essentra FZE Company Limited Enforcement Action, OFAC (16 July 2020), at
https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20200716_33.
53 The US re-imposed certain sanctions against individuals and entities in Burma related to human rights abuses
committed by the military. See, e.g., 25 March 2021 OFAC Announcement, available at https://home.treasury.
gov/policy-issues/financial-sanctions/recent-actions/20210325.
233
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
Burma.54 In a sense, this rule prevented US persons from doing indirectly what they were
prevented from doing directly, and is closely aligned with the concept of facilitation, which
prohibits US persons from approving, financing, facilitating or guaranteeing any transaction
by a foreign person ‘where the transaction by that foreign person would be prohibited . . . if
performed by a [US person] or within the United States’.55 The concepts of facilitation and
predominance differ in the sense that predominance penalises companies that profit from
business in sanctioned jurisdictions, whereas facilitation is meant to prevent US compa-
nies from enlisting foreign entities or individuals to engage in conduct that they themselves
could not otherwise perform. In short, while predominance is a concept to consider when
transacting with companies that have a large presence in sanctioned jurisdictions, the risk
of facilitation also poses a significant risk, especially with regard to US companies that have
foreign affiliates or subsidiaries, or counterparties involved in cross-border transactions in
high-risk jurisdictions.
54 31 C.F.R. § 537.412 (repealed by Exec. Order No. 13,742, 81 Fed. Reg. 70,593 (12 October 2016)); see
Perry S Bechky, Sanctions and the Blurred Boundaries of International Economic Law, 83 Mo. L. Rev. 1, 11, 12,
n.62 (2018).
55 31 C.F.R. § 560.208.
56 See OFAC FAQ 74.
234
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
OFAC through the licensing process and informal guidance from OFAC via its hotline. In
addition, EU operators cannot request a licence from OFAC to be exempt from the applica-
tion of extraterritorial sanctions listed in the Blocking Regulation. To seek a licence is very
likely to demonstrate ‘compliance’ with the US sanctions under Article 5. However, the
Commission acknowledges that it does not consider conversations with OFAC to understand
the effects of the sanctions to amount to compliance.57
235
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
Second, foreign subsidiaries of US companies face risks doing business even in sanctioned
jurisdictions other than Iran and Cuba. For example, foreign subsidiaries could face US regu-
latory exposure for doing business in a sanctioned jurisdiction (other than Iran or Cuba) if
the transaction transits the US financial system or otherwise has a nexus to the United States.
If the US parent company is a public company, then this could also trigger a public reporting
requirement if an enforcement investigation is initiated, an apparent violation is voluntarily
self-reported to OFAC or an SDN designation occurs. Additionally, if operations are coordi-
nated between the US entity and the foreign entity, or there are dual-hatted employees, then
that could also raise the risk of sanctions exposure, including under facilitation, conspiracy
to evade sanctions or ‘causing’ theories of liability. Notably, OFAC has advised of the risk
that companies subject to US jurisdiction face in referring business opportunities, approving
or signing off on transactions conducted by, or otherwise facilitating dealings between their
company’s non-US locations and sanctioned jurisdictions, regions or persons.59
Third, the US government has aggressively targeted non-US persons for designation who
have ‘materially assisted’ or otherwise provided financial support to SDNs. For example,
although there is no formal secondary sanctions regime for Venezuela, OFAC has targeted
non-US persons for transacting and otherwise supporting the government of Venezuela
and other sanctioned entities that the US has a foreign policy interest in isolating from the
world economy.60
Finally, credit agreements and other material contracts can subject foreign subsidiaries
of US companies to more stringent regulatory requirements than the strict letter of the law.
As part of a risk-based approach, US companies and their foreign subsidiaries should review
their material contracts to ensure they are in compliance with their contractual obligations,
and not simply rely on a strict letter of the law approach as it relates to US sanctions.
59 See OFAC, ‘A Framework for OFAC Compliance Commitments’, 2 May 2019, at www.treasury.gov/
resource-center/sanctions/Documents/framework_ofac_cc.pdf; see also Settlement Agreement between
OFAC and BIOMIN America, Inc, 6 May 2020, at www.treasury.gov/resource-center/sanctions/CivPen/
Documents/20200506_biomin.pdf; Settlement Agreement between OFAC and Berkshire Hathaway, Inc.,
20 Oct. 2020, at https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201020.
60 See, e.g., US Department of the Treasury designation of TNK Trading International SA, press release, at https://
home.treasury.gov/news/press-releases/sm937.
61 See footnote 20, above.
62 European Union (Withdrawal) Act 2018, Section 3.
63 The Protecting Against the Effects of the Extraterritorial Application of Third Country Legislation (Amendment)
(EU Exit) Regulations 2020.
236
© Law Business Research 2021
Navigating Conflicting Sanctions Regimes
removing references to ‘the EU’ and ‘Commission’. The UK government has issued guidance
on the operation of the blocking provisions in the UK.64
Going forward, the United Kingdom will be free to make additional changes to the
Blocking Regulation but is unlikely to do so in the short term. In the Explanatory
Memorandum that accompanied the draft amending legislation, the UK government stated:
We will continue to work with our European partners on matters of significance to the UK,
even as we leave the EU. We intend to uphold the policy intent of the Blocking Regulation
in our statute book once we have left the EU, so that we can mitigate the impact of extra-
territorial sanctions on our trading interests. The UK will assume responsibility for listing
extraterritorial sanctions legislation with which UK businesses must not comply.65
64 See Department of International Trade, ‘Protection of Trading Interests (retained blocking regulation)’,
19 November 2020, at www.gov.uk/guidance/protection-of-trading-interests-retained-blocking-regulation.
65 Explanatory Memorandum to the Extraterritorial US Legislation (Sanctions Against Cuba, Iran and Libya)
(Protection of Trading Interests) (Amendment) Order 2018, paragraph 7.5.
237
© Law Business Research 2021
16
Sanctions Issues Arising in Corporate Transactions
Once thought adequately addressed by a simple representation of compliance with the appro-
priate law, sanctions risk in corporate transactions has increased steadily as sanctions have
become more complex and more intertwined with other areas of regulatory compliance. To
further complicate the diligence required in these transactions, the footprints of transacting
parties have expanded around the globe, and expectations of various stakeholders (such
as investors, lenders, insurers and regulators) have heightened. Today, whether the trans-
action involves an acquisition, establishment of a joint venture, appointment of an agent,
onboarding a customer or even a divestiture, a full understanding and review of all applicable
sanctions, anti-boycott and export control requirements is necessary if enforcement risks are
to be minimised.
While this chapter attempts to present diligence principles and methodologies that can
be applied irrespective of the jurisdictions of the parties and businesses involved, it will not
escape the reader’s notice that principles of US law are featured prominently. Examination
of potential US law exposure is a necessary element of almost all transaction diligence owing
to the broad extraterritorial reach of US primary sanctions2 and related laws and regulations
affecting international business, the robust enforcement of such laws, and the wide-ranging
deployment of secondary sanctions designed to advance US national security and foreign
policy goals. Of course, diligence must cover all potentially applicable laws and regulations. A
comprehensive multi-jurisdictional review is beyond the scope of this chapter, but examples
of commonly encountered issues posed by EU and national laws are addressed.
1 Barbara D Linney is a partner and Orga Cadet and Ragan Updegraff are associates at BakerHostetler LLP.
2 US ‘primary’ sanctions are those that proscribe behaviour of US persons (and, in the case of Cuba and Iran
sanctions, non-US entities owned or controlled by them). ‘Secondary’ sanctions are those that do not proscribe
conduct but rather impose consequences on persons engaging in activities identified as contrary to US national
security or foreign policy.
238
© Law Business Research 2021
Sanctions Issues Arising in Corporate Transactions
3 See US Dep’t of the Treasury’s Office of Foreign Assets Control [OFAC], ‘Revised Guidance on Entities Owned
by Persons Whose Property and Interest in Property Are Blocked’ (2014); European Commission Opinion
of 19 June 2020 on Article 2 of Council Regulation (EU) No. 269/2014; Office of Financial Sanctions
Implementation, ‘Financial Sanctions: Guidance’ (December 2020), at 15.
4 See, e.g., Bureau of Political Military Affairs, US Dep’t of State, BAE Systems plc Consent Agreement (2011);
Bureau of Political Military Affairs, US Dep’t of State, Qioptiq S.a.r.l. Consent Agreement (2008). See also
Bureau of Industry and Security, US Dep’t of Commerce [BIS], Order Relating to Ghaddar Machinery Co., SAL
(2019) [Ghaddar].
5 OFAC, DENTSPLY SIRONA Inc. Settles Potential Civil Liability for Apparent Violations of the Iranian
Transactions and Sanctions Regulations (2019) [Dentsply].
239
© Law Business Research 2021
Sanctions Issues Arising in Corporate Transactions
tion of fines against a Lebanese company for re-exporting engines of US origin to Syria and
OFAC’s action against a dental supply company for exporting dental products of US origin
to third-country distributors with knowledge that the exports were destined for Iran.6
In the merger and acquisition (M&A) context, due diligence is a must if the risk of
successor liability for sanctions and export control violations and other offences is to be
assessed. Transactions structured as mergers generally pass liability for the pre-transaction
activities of the acquired entity to the buyer by operation of law, but successor liability can
also arise from stock purchases, as well as transactions structured as asset purchases. Of course,
stock purchases that maintain the separate status of the target entity do not create successor
liability for the buyer in the strictest sense of the term, but enforcement costs incurred by the
target entity in connection with pre-completion violations, with the associated reputational
costs, will diminish the value of the buyer’s investment in the target entity. Even in jurisdic-
tions without successor liability, difficulties may arise when company assets may include the
proceeds of previous sanctions and export control violations.
As for asset purchases, in a string of US cases, beginning with Sigma-Aldrich in 2002,7 the
Bureau of Industry and Security of the US Department of Commerce (BIS) has interpreted
the International Emergency Economic Powers Act (IEEPA)8 and the Export Administration
Regulations9 to impose successor liability for export violations on purchasers of assets when
‘substantial continuity’ of the business results from the transaction.10 Notably, IEEPA also
is the statutory underpinning for all US sanctions programmes save the Cuban embargo.
The Trading with the Enemy Act,11 which authorises the Cuban embargo, contains provi-
sions similar to the IEEPA provisions interpreted in Sigma-Aldrich and goes a step further by
purporting to impose obligations on non-US entities owned or controlled by US persons.
Sigma-Aldrich thus laid the groundwork for both BIS and OFAC to impose successor liability
on purchasers of assets when the purchased assets constitute a business that continues under
the new owner. As enumerated in Sigma-Aldrich, a finding of ‘substantial continuity’ will be
supported when:
the successor: (1) retains the same employees, supervisory personnel and the same production
facilities in the same location; (2) continues production of the same products; (3) retains
the same business name; (4) maintains the same assets and general business operations; and
(5) holds itself out to the public as a continuation of the previous corporation.12
240
© Law Business Research 2021
Sanctions Issues Arising in Corporate Transactions
The decision in Sigma-Aldrich was not appealed and the parties entered into a settlement
agreement, following which the BIS position on successor liability was applied in subsequent
settlement agreements with both BIS and OFAC.13
The Directorate of Defense Trade Controls (DDTC) , which administers the International
Traffic in Arms Regulations14 pursuant to the Arms Export Control Act,15 likewise has a long
history of imposing successor liability dating back to 2003, when the DDTC entered into a
consent agreement with Hughes Electronics Corporation and Boeing Satellite Systems, Inc
(formerly Hughes Space and Communications). The consent agreement imposed penal-
ties for violations that occurred several years prior to Boeing’s acquisition of the Hughes
space and communications division in 2000.16 The DDTC’s position on successor liability is
bolstered by its policy of requiring registered defence companies to agree in writing to assume
responsibility for pre-acquisition export licences issued to the acquired business.17
Although the US position on successor liability has been criticised by legal scholars, as a
practical matter, given OFAC’s sweeping discretionary powers and the ability of US export
agencies to deny export privileges, parties have tended to settle enforcement actions rather
than embark on time-consuming and expensive challenges to agency authority. As a result,
the risk of enforcement actions based on the successor liability concept remains an important
focus of sanctions and export control diligence.
In addition to its role in detecting potential successor liability, diligence in M&A trans-
actions is essential if patterns of violative behaviour that may continue post-closing are to
be discovered. OFAC has shown little patience for companies that have allowed violations
to continue post-closing,18 imposing penalties in a series of recent cases notwithstanding
voluntary disclosures filed by the acquirors. Root causes of violations emphasised by OFAC
included being ‘slow to integrate the subsidiary into the . . . corporate family, including with
respect to compliance with U.S. sanctions’ (Expedia); failure to ‘implement procedures to
monitor or audit [the subsidiary’s] operations to ensure that its Iran-related sales did not recur
post-acquisition’ (Stanley Black & Decker); and not undertaking ‘a fuller internal investigation’
13 See, e.g., BIS, Order Relating to Sirchie Acquisition Company, LLC (2010) and related Settlement Agreement
(2009); Dentsply (footnote 5, above).
14 22 C.F.R. §§ 120 to 130 (2020).
15 Arms Export Control Act (codified at 22 U.S.C. 2778 (2014)).
16 Bureau of Political Military Affairs, US Dep’t of State, Order in the Matter of Hughes Electronics Corporation
and Boeing Satellite Systems, Inc. and related Consent Agreement (2003).
17 See ‘Sample 5-Day Notice’ (for Buyer), Updating a Registration: Notification of Change for Mergers,
Acquisitions, and Divestitures, Directorate of Defense Trade Controls, at www.pmddtc.state.gov/
ddtc_public?id=ddtc_kb_article_page&sys_id=fc8aaa9adb74130044f9ff621f9619c3#tab-mad (last visited
25 June 2020).
18 See, e.g., OFAC, ‘OFAC Settles with Keysight Technologies Inc., as Successor Entity to Anite Finland OY,
with Respect to Potential Civil Liability for Apparent Violations of the Iranian Transactions and Sanctions
Regulations’ (2020) [Keysight ]; OFAC, ‘Expedia Group, Inc. (“Expedia”) Settles Potential Civil Liability for
Apparent Violations of the Cuban Assets Control Regulations’ (2019) [Expedia]; OFAC, ‘Stanley Black &
Decker, Inc. Settles Potential Civil Liability for Apparent Violations of the Iranian Transactions and Sanctions
Regulations Committed by its Chinese-Based Subsidiary Jiangsu Guoqiang Tools Co. Ltd’. (2019) [Stanley Black
& Decker]; OFAC, ‘AppliChem GmbH Assessed a Penalty for Violating the Cuban Assets Control Regulations’
(2019) [AppliChem]; OFAC, ‘Kollmorgen Corporation Settles Potential Civil Liability for Apparent Violations
of the Iranian Transactions and Sanctions Regulations’ (2019) [Kollmorgen].
241
© Law Business Research 2021
Sanctions Issues Arising in Corporate Transactions
242
© Law Business Research 2021
Sanctions Issues Arising in Corporate Transactions
an entity is ‘owned or controlled’ by a United States person if the United States person:
(i) Holds a 50 percent or greater equity interest by vote or value in the entity;
(ii) Holds a majority of seats on the board of directors of the entity; or
(iii) Otherwise controls the actions, policies, or personnel decisions of the entity.28
Although what constitutes ownership or control is undefined in the regulations governing the
Cuba sanctions programme, the definition applicable to Iran reflects OFAC’s long-standing
interpretation of the reach of the Cuba sanctions as well.
Diligence should be designed both to ferret out historical compliance lapses and identify
activities that will not be permitted post-completion, as well as the effects of implementing
any such prohibitions on the business outlook. Cessation of activities that will be unlawful
under US ownership or control may have a material adverse effect on the financial outlook
of the acquired business, while compliance failures post-completion will give rise to enforce-
ment risk. Nevertheless, the parties may decide to proceed with the transaction, notwith-
standing any detrimental effect on the business that would result from the need to cease
certain operations post-completion. In such cases, further diligence should be conducted
regarding the legal risks associated with cessation so that advice can be taken on how best
to navigate any potential roadblocks, such as those posed by so-called ‘blocking’ statutes.
24 Iranian Transactions and Sanctions Regulations, 31 C.F.R. pt. 560 (2020); Cuban Assets Control Regulations,
31 C.F.R. pt. 515 (2020).
25 15 C.F.R. § 760.1(b).
26 15 C.F.R. § 760.1(c).
27 31 C.F.R. § 515.329; 31 C.F.R. § 560.215.
28 31 C.F.R. § 560.215(b)(1).
243
© Law Business Research 2021
Sanctions Issues Arising in Corporate Transactions
Several jurisdictions, as well as the European Union, have adopted blocking measures to
counteract extraterritorial application of US sanctions against Cuba and Iran,29 while Canada
has restricted its blocking measures to the Cuba embargo,30 and German law targets foreign
boycotts.31 Thus, advice should be taken before completion so that an appropriate plan of
action can be formulated, bearing in mind recent enforcement actions against US companies
who failed to prevent their recently acquired non-US subsidiaries from continuing business
with Cuba and Iran.32 Litigation risk arising from breach of contract claims from parties to
discontinued relationships may also be a factor.
Transactional diligence, like compliance programmes, should also be customised to fit
the risks presented and the risk appetites of the parties. Some companies subject all potential
agents or distributors to background checks; others apply such requirements only to relation-
ships with third parties located in countries or regions considered high risk from a sanctions,
corruption or export diversion perspective. In the absence of red flags, third-party certifica-
tions of matters such as ownership and control, as well as compliance, can be considered in
place of more extensive diligence.
Diligence checklists must be the subject of continuous improvement. Laws and regula-
tions in the sanctions and export control area change frequently, and these changes usually
spawn new diligence requirements, as do new enforcement actions and agency guidance.
In each transaction, care should be taken to ensure that compliance with all applicable
sanctions and export controls is reviewed, based on the jurisdiction of formation and places
of business as well as products and services of the target company.
When considering doing business with or acquiring a company with operations outside
the United States, possible secondary sanctions risk based on the nature of the target’s busi-
ness also must be considered. US secondary sanctions target those doing business with
numerous sectors of the Iranian economy, as well as Russia, Venezuela and North Korea,
among other countries.
Relationships with customers, agents or distributors in countries or regions characterised
by high risk for diversion or corruption also should be scrutinised carefully – several countries
in Asia and the Middle East come to mind in this regard, although, perhaps surprisingly to
some, US law enforcement officials also view Canada as a country of diversion risk.
Other often overlooked but important areas of potential liability when conducting due
diligence on non-US companies include application of US sanctions and export control
29 See, e.g., Council Regulation (EC) No. 2271/96 of 22 November 1996 protecting against the effects of the
extra-territorial application of legislation adopted by a third country, and actions based thereon or resulting
therefrom (as amended by Commission Delegated Regulation (EU) 2019/1100 of 6 June 2018); and, for the
position in the United Kingdom on the expiry of the Brexit transition period, see The Protecting against the
Effects of the Extraterritorial Application of Third Country Legislation (Amendment) (EU Exit) Regulations
2019 (in draft form).
30 Foreign Extraterritorial Measures Act, R.S.C. ch. F-29 (1985), as amended by Bill C-54, proclaimed in force
1 January 1997; Foreign Extraterritorial Measures (United States) Order, 1992, as amended, SOR 96-84,
5 January 1996.
31 Foreign Trade and Payments Ordinance, § 7 (Boycott Declaration) (Ger.).
32 OFAC, ‘Acteon Group Ltd. and 2H Offshore Engineering Ltd. Settle Potential Civil Liability for Apparent
Violations of the Cuban Assets Control Regulations’ (2019); AppliChem (see footnote 18, above); Stanley Black
& Decker (see footnote 18, above); Kollmorgen (see footnote 18, above).
244
© Law Business Research 2021
Sanctions Issues Arising in Corporate Transactions
de minimis rules and compliance with US export controls applicable to foreign-produced
items. Many non-US companies are unaware of the extent to which their products might be
subject to US export controls and sanctions as a result of incorporating components of US
origin or that have been manufactured using US technology or plant and equipment.
Though traditionally an exercise conducted primarily by the buyer, the increasing conver-
gence of sanctions and export controls with other areas of law and regulation, including
national security, anti-money laundering (AML) and anti-corruption, has given rise to dili-
gence obligations for all parties to the transaction. In transactions that may be reviewed by
the Committee on Foreign Investment in the United States, both parties will need to assess
the export controls applicable to the target US business to assess whether mandatory filing
requirements apply,33 and sellers will want to assess the sanctions and export control compli-
ance history of potential non-US buyers, given new rules that ban companies with a history
of violations of US sanctions and export controls from enjoying certain exceptions to the
mandatory filing requirements.34 Investors and bankers providing financing for a transaction
will want to ensure sanctions and anti-financial crime compliance by all parties, as well as
compliance with export controls and sanctions by the acquired company. Representation and
warranty insurers likewise will be alert for compliance lapses so that material violations can
be excluded from coverage.
Streamlining diligence
As much as possible, diligence should be streamlined to avoid having to go over the same
ground multiple times. Particularly in the context of M&A activity, the target company’s
appetite and capacity for responding to diligence requests can wane in the face of competing
queries from a myriad of business and legal teams.
Efficiencies can be achieved in the M&A context by minimising the number of requests
for the same information. For example, questions relating to sanctions risk assessment,
internal controls, testing and auditing, compliance training and management’s demonstrated
commitment to comply with applicable sanctions and export control law can be grouped
with similar questions about other relevant compliance matters. Further efficiencies can be
achieved if the various subject matter experts reviewing the responses to diligence queries
coordinate their efforts to avoid having multiple reviewers pore over the same document.
When onboarding business partners, deployment of multiple work streams should be
avoided. Questions relating to sanctions, anti-corruption, AML and export compliance
should be consolidated into one online or paper form rather than sprinkled throughout a
variety of documents and certifications. OFAC recently has signalled approval of this holistic
approach. In a release regarding its the 2019 enforcement action against Apollo Aviation
Group, LLC (Apollo), OFAC emphasised the importance of know-your-customer (KYC)
diligence – traditionally the purview of export and AML compliance guidelines – in the
context of sanctions compliance, noting ‘the importance of companies operating internation-
ally to implement Know You [sic] Customer screening procedures and implement compliance
33 31 C.F.R. § 800.401.
34 31 C.F.R. § 800.219; 31 C.F.R. § 802.215 (2020).
245
© Law Business Research 2021
Sanctions Issues Arising in Corporate Transactions
measures that extend beyond the point-of-sale and function throughout the entire business
or lease period’.35
35 OFAC, ‘Apollo Aviation Group, LLC (“Apollo,” now d/b/a Carlyle Aviation Partners Ltd.1) Settles
Potential Civil Liability for Apparent Violations of the Sudanese Sanctions Regulations’, 31 C.F.R.
pt. 538, 3 (2019) [Apollo].
36 US Department of Justice, SAP Admits to Thousands of Illegal Exports of its Software Products to Iran and
Enters into Non-Prosecution Agreement with DOJ (2021); Export Control and Sanctions Enforcement Policy
for Business Organizations, US Department of Justice (13 December 2019), available at www.justice.gov/nsd/
ces_vsd_policy_2019/download.
37 22 C.F.R. § 126.1(e)(2) (2020).
38 See, e.g., the anti-money laundering reporting requirements that must be implemented in EU Member
States in accordance with Directive (EU) 2018/843 of the European Parliament and of the Council of
30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the
purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU
(OJL 156, 19/6/2018, at 43 to 74).
246
© Law Business Research 2021
Sanctions Issues Arising in Corporate Transactions
breaches of sanctions.39 Moreover, EU regulations giving effect to sanctions laws are accom-
panied by general obligations to report information that would facilitate compliance.
If the filing of a disclosure is determined to be warranted or required, or if an enforcement
action is commenced during the period of diligence, the buyer and its counsel may wish to
have input into the disclosure or response to the enforcement action. In these circumstances,
a joint defence agreement may be considered as a means of protecting privilege. Absent a
joint defence agreement, sellers should keep in mind that legal privilege does not attach to
responses to the buyer’s diligence queries. Furthermore, depending upon the jurisdiction,
disclosures to one’s own in-house counsel likewise may not be protected, in which case it may
be prudent to channel compliance diligence regarding potentially sensitive matters through
external counsel.
Remediation
Both parties can and should take steps to remediate compliance breaches and enforcement
risks identified during diligence.
In the lead-up to a merger or acquisition, a seller who discovers historical breaches bears
primary responsibility for stopping the unlawful conduct and beginning to implement
corrective actions. However, while some remediation steps (such as disciplining employees
involved in the misconduct) can be taken fairly quickly, other more systemic responses
(such as overhauling compliance programmes and procedures) may be best left to the buyer,
particularly if the buyer has a robust compliance programme that it intends to roll out to the
newly acquired business. In such instances, the seller may choose to implement only those
short-term remediation measures required to ensure that no further breaches occur prior to
the closing.
The buyer, however, is responsible for lapses that continue or occur on its watch, and
several recent OFAC enforcement actions discussed in this chapter (Keysight, Expedia, Stanley
Black & Decker, AppliChem and Kollmorgen) illustrate the importance of regular compli-
ance monitoring in the context of integrating newly acquired businesses.40 Thus, it is not
enough merely to have compliance policies and procedures and provide training; compa-
nies must also monitor compliance with their policies and procedures if they wish to avoid
enforcement action.
This can be of particular concern for newly acquired non-US companies. For instance, as
the Keysight and Kollmorgen cases highlight, parent companies should be particularly careful
when acquiring non-US companies that have pre-existing relationships with sanctioned
persons and jurisdictions that may continue despite directives from the parent company
to the non-US subsidiary that these relationships be terminated.41 As in both Keysight and
Kollmorgen, the non-US subsidiary may even undertake efforts to conceal continued business
with sanctioned parties from the parent company by falsifying corporate records. Because
of the risk that non-US subsidiaries may continue to do business with sanctioned parties,
39 See, e.g., the UK reporting obligation as extended by The European Union Financial Sanctions (Amendment of
Information Provisions) Regulations 2017.
40 See, e.g., Expedia (footnote 18, above); Stanley Black & Decker (footnote 18, above); AppliChem (footnote 18,
above); Kollmorgen (footnote 18, above).
41 See Keysight (footnote 18, above); Kollmorgen (footnote 18, above).
247
© Law Business Research 2021
Sanctions Issues Arising in Corporate Transactions
it becomes particularly important for companies acquiring non-US companies not simply
to rely on certifications from non-US subsidiaries that they have ceased such business, but
also to take pro-active steps to ensure that such business has actually ceased by insisting on
parent company visibility into the newly acquired non-US subsidiary’s corporate records.
Although in both Keysight and Kollmorgen, the buyer did not have knowledge of its newly
acquired subsidiary’s continued sales to Iran, in Kollmorgen OFAC detailed the buyer’s
‘extensive efforts’ to ensure post-acquisition compliance and determined the violations to be
non-egregious (imposing a base penalty of only US$7,434 rather than the US$750,000 that
would have been imposed if OFAC had found the violations egregious). In finding the
violations non-egregious, OFAC credited the buyer’s ‘extensive and preventative remedial
conduct’. However, in Keysight, in which OFAC did not make such a finding as to buyer’s
post-acquisition compliance efforts, OFAC found the violations egregious and imposed a
base penalty of US$1,051,460 (half the statutory maximum) – the lesson being that the more
post-acquisition diligence and remedial measures, the more likely the buyer is to receive leni-
ency from OFAC should violations continue to occur post-closing. The SAP case also illus-
trates the benefits of remediation. As noted by the Department of Justice, ‘SAP will suffer the
penalties for its violations of the Iran sanctions, but these would have been far worse had they
not disclosed, cooperated, and remediated.’42 The disclosure, cooperation and remediation
culminated in a non-prosecution agreement with the Department of Justice and administra-
tive agreements with OFAC and BIS.
In the context of agreements with customers and other third parties, the parties must
decide to what extent a breach of compliance obligations triggers termination rights. The
agreement also should clearly address the role that each party will play in remediation, in the
absence of a triggering breach.
42 US Department of Justice, SAP Admits to Thousands of Illegal Exports of its Software Products to Iran and
Enters into Non-Prosecution Agreement with DOJ (2021).
43 See Apollo (footnote 35, above).
248
© Law Business Research 2021
Sanctions Issues Arising in Corporate Transactions
Notwithstanding the inclusion of this clause, Apollo did not ensure the aircraft engines were
utilized in a manner that complied with OFAC’s regulations. For example, at the time,
Apollo did not obtain U.S. law export compliance certificates from lessees and sublessees.
Additionally, Apollo did not periodically monitor or otherwise verify its lessee’s and subles-
see’s adherence to the lease provision requiring compliance with U.S. sanctions during the
life of the lease.
44 See e.g., Stanley Black & Decker (footnote 18, above); Kollmorgen (footnote 18, above).
45 See Apollo (footnote 35, above), and discussion above at ‘Streamlining diligence’.
46 See e.g., Kollmorgen (footnote 18, above); Stanley Black & Decker (footnote 18, above); Expedia (footnote 18,
above); AppliChem (footnote 18, above).
249
© Law Business Research 2021
Sanctions Issues Arising in Corporate Transactions
when doing business with entities with known contacts with OFAC-sanctioned entities and
jurisdictions, compliance monitoring throughout the life of the relationship, training, KYC
screening procedures and, when applicable, the obtaining of compliance certifications.47
In light of these ongoing diligence and compliance expectations, buyers evaluating poten-
tial mergers or acquisitions and parties contemplating commercial transactions should ensure
that their pre-completion due diligence includes not only an assessment of the legal and
business risks discussed in this chapter, but also an evaluation of their capacity to meet the
expectations of regulators for ongoing diligence and compliance, as well as the enforcement
risks they will face if these expectations are not met.
47 See Apollo (footnote 35, above) and discussion above at ‘Supplementing diligence’.
250
© Law Business Research 2021